Demystifying first-chance exceptions (Part 1)

There is a bit of confusion around the division of exceptions between the first- and second-chance. For example, I am often asked whether saving crash dumps on first-chance exceptions should be disabled or enabled. So I decided to clarify this issue.

First, let me say that the concept of first-chance exceptions is purely a debugger-related. There is only one exception that happens when we access an invalid address, for example. However, that exception may be handled or may not be handled by exception handlers. Or it might be handled in peculiar way and terminate the thread that caused the exception, for example. And if it was not handled then an unhandled exception filter might be called. The default one might launch a postmortem debugger (or any process that can read process memory) to save a postmortem memory dump. Any thread can replace the default filter with a custom exception filter that might also do peculiar things and quietly terminate or exit. Even the properly configured postmortem debugger can fail to save a dump file. Therefore we have this question: how can we catch the exception and examine the process state as earlier as possible, before the execution flow goes through the exception handling mechanism?

Here we have the concept of the first chance exception dispatched to the attached user-mode debugger. if it wasn’t handled we have the same exception but called the second chance that is dispatched to the same debugger again. We see that it has nothing to do with the postmortem debugger although the attached live debugger can save crash dump files too, which what ADPlus does, for example.

- Dmitry Vostokov @ DumpAnalysis.org -

5 Responses to “Demystifying first-chance exceptions (Part 1)”

  1. alien rancher Says:

    who gets it first, the vectored exception handler or the debugger?

  2. Nick Says:

    Keep in mind that when monitoring services such as the Print Spooler, a lot of first chance exceptions (that end up being handled) may be thrown and if a debugger is busy dumping the process for each first chance exception performance will be impacted.

  3. Dmitry Vostokov Says:

    Debugger gets it first then vectored exception handler. Please refer to:

    http://msdn.microsoft.com/en-us/library/ms681420.aspx

  4. Software Generalist » Blog Archive » Reading Notebook: 11-August-09 Says:

    […] First and second chance exception handling (p. 117) - some time ago I was interested in this mystery and wrote this post: http://www.dumpanalysis.org/blog/index.php/2008/05/22/demystifying-first-chance-exceptions-part-1/ […]

  5. Crash Dump Analysis » Blog Archive » Demystifying first-chance exceptions (Part 2) Says:

    […] we are not interested in first-chance exceptions as in the previous part but are interested in only second-chance exceptions to be sure that they were not handled as a […]

Leave a Reply

You must be logged in to post a comment.