Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

Behavioral Change to SetUnhandledExceptionFilter

One way in which Microsoft could solve this issue would be to change the behavior of kernel32!SetUnhandledExceptionFilter in a manner that allows it to support true registration and deregistration operations rather than implicit ones. This can be accomplished by making it possible for the function to determine whether a register operation is occurring or whether a deregister operation is occurring.

Under this model, when a registration operation occurs, kernel32!SetUnhandledExceptionFilter can return a dynamically generated context that merely calls the routine that is previous to the one that was registered. The fact that the context is dynamically generated makes it possible for the function to distinguish between registrations and deregistrations. When the function is called with a dynamically generated context, it can assume that a deregistration operation os occurring. Otherwise, it must assume that a registration operation is occurring.

To ensure that the underlying list of registered UEFs is not corrupted,
kernel32!SetUnhandledExceptionFilter can be modified to ensure that when a deregistration operation occurs, any dynamically generated contexts that reference the routine being deregistered can be updated to call to the next-previous routine, if any, or simply return if there is no longer a previous routine.