Notes and Thoughts on Strace for Windows

July 28, 2019
Windows Internals DevOps Troubleshooting

strace and it’s cousin ltrace are well known and invaluable diagnostic and debugging tools for Linux. Here are articles explaining how they work: How does strace work?, How does ltrace work?. But what about Windows?

There are tools for Windows that provide a similar functionality to strace/ltrace on Linux. From all of the following tools, drstrace, Nektra SpyStudio and Rohitab API Monitor are most realiable and useful.

Strace for Windows from Dr. Memory

drstrace works by using the Dr. Syscall System Call Monitoring Extension

Pros:

Home page: System Call Tracer (“strace”) for Windows

Nektra SpyStudio

Pros

Cons

Home page: SpyStudio API Monitor

Windows API Monitor from rohitab

Pros

Cons

Home page: API Monitor

StraceNT from IntellectualHeaven

StraceNT works by using Import Address Table (IAT) patching . Implementation is explained in this article along with others system call hooking techniques.

Pros

Cons

Home page: StraceNT - A System Call Tracer for Windows

NtTrace

NtTrace can be used to execute a program or to attach to an existing process by PID or, using the -a option, by name. It works by using the Windows debug interface to place breakpoints in NtDll

Pros

Cons

Home page: NtTrace - Native API tracing for Windows

Legacy projects

Does not work on new Windows versions.

API Monitor

Display Win32 API calls made by applications.

Cons

Home page: Win32 API Monitor

strace from BindView

Can be found on the archive.org web site. It uses the system call hooking technique described by Undocumented Windows NT. Source code is provided under the terms of BindView’s Open Source license.

Related

Monitoring new process creation

June 15, 2019
DevOps Linux Windows

Install Ca Certificate for Docker Registry on Local Boot2docker Vm

May 23, 2018
Docker DevOps Boot2Docker CA

Publishing a port from a running Docker container

April 8, 2018
Docker Linux DevOps