The Client Server Run-Time Subsystem (CSRSS) is the user-mode process that controls the underlying layer for the Windows environment. There are a number of problems that make it necessary to debug CSRSS itself.
Debugging CSRSS is also useful when the Windows subsystem terminates unexpectedly with a Bug Check 0xC000021A (WINLOGON_FATAL_ERROR). In this case, debugging CSRSS will catch the failure before it gets to an "unexpected" point.
Controlling NTSD from the Kernel Debugger
The easiest way to debug CSRSS is to use NTSD and control it from the kernel debugger.
Enabling CSRSS Debugging
CSRSS debugging must be enabled before you can proceed. If the target computer is running a free build of Windows, you will have to enable CSRSS debugging through the Global Flags Utility (GFlags).
To do this, start the GFlags utility, select the System Registry radio button, and select Enable debugging of Win32 subsystem.
Alternatively, you can use the following GFlags command-line:
gflags /r +20000
Or, if you prefer, you can edit the registry key manually instead of using GFlags. Open the following registry key:
Edit the GlobalFlag value entry (of type REG_DWORD) and set the bit 0x00020000.
After using GFlags or manually editing the registry, you must reboot for the changes to take effect.
Because you will be controlling the user-mode debugger from the kernel debugger, you will need to set up a kernel debugging connection. See Getting Set Up for Debugging for details.
After the registry has been properly configured, it is a simple matter of starting NTSD as follows:
See Controlling the User-Mode Debugger from the Kernel Debugger for an explanation of how to proceed.
You will have to set your symbol path to a location on your host computer or to some other location on your network. When CSRSS is being debugged, network authentication on the target computer will not work properly.
Note that you may see an "in page io error" message. This is another manifestation of a hardware failure.
When the debugging session ends, the debugger will detach from CSRSS while the CSRSS process is still running. This avoids termination of the CSRSS process itself.