Microsoft-specific exception handling mechanisms
Structured Exception Handling
Microsoft Structured Exception Handling is the native exception handling mechanism for Windows and a forerunner technology to VEH. It features the
finally mechanism not present in standard С++ exceptions (but present in most imperative languages introduced later).
SEH is set up and handled separately for each thread of execution.
Microsoft supports SEH as a programming technique at the compiler level only. MS Visual C++ compiler features three non-standard keywords:
__finally — for this purpose. Other exception handling aspects are backed by a number of Win32 API functions, for example,
RaiseException to raise SEH exceptions manually.
Each thread of execution in Windows has a link to an undocumented _EXCEPTION_REGISTRATION_RECORD list at the start of its Thread Information Block. The
__try statement essentially calls a compiler-defined
EH_prolog function. That function allocates an _EXCEPTION_REGISTRATION_RECORD on the stack pointing to
__except_handler3 function in
msvcrt.dll, then adds the record to the list's head. At the end of the
__try block a compiler-defined
EH_epilog function is called that does the reverse operation. Either of these compiler-defined routines can be inline. All the programmer-defined
__finally blocks are called from within
__except_handler3. If such blocks are present, _EXCEPTION_REGISTRATION_RECORD being created is extended with a few additional fields used by
In a case of an exception in a user mode code, the operating system parses the thread's _EXCEPTION_REGISTRATION_RECORD list and calls each exception handler in sequence until a handler signals it has handled the exception (by return value) or the list is exhausted. The last one in the list is always the
kernel32!UnhandledExceptionFilter which displayes the General protection fault error message. Then the list is traversed once more giving handlers a chance to clean up any resources used. Finally, the execution returns to kernel mode where the process is either resumed or terminated.
- Microsoft Corp. (2009-11-12). "Structured Exception Handling". MSDN Library. Retrieved 2009-11-17.
- Matt Pietrek (Jan 1997). "A Crash Course on the Depths of Win32 Structured Exception Handling". MSJ 12 (1).
- Igor Skochinsky (Monday, March 6, 2006 12:02.38 CST). "Reversing Microsoft Visual C++ Part I: Exception Handling". OpenRCE. Retrieved 2009-11-17.
Vectored Exception Handling
Vectored Exception Handling was introduced in Windows XP. Vectored Exception Handling is made available to Windows programmers using languages such as C++ and Visual Basic. VEH does not replace Structured Exception Handling (SEH), rather VEH and SEH coexist with VEH handlers having priority over SEH handlers. Compared with SEH, VEH works more like a traditional notification callback scheme.
Use of VEH
Use AddVectoredExceptionHandler API
- "Vectored Exception Handling in Windows Server 2003 (Through Internet Archive)". Archived from the original on 2008-01-18.
- Microsoft Corp. (11/12/2009). "Structured Exception Handling Functions". MSDN Library. Retrieved 2009-11-17.
- The name varies in different versions of VC runtime
kernel32.dll, as well as other programs linked statically with VC runtime, have this function compiled-in instead
- Peter Kleissner (February 2009). "Windows Exception Handling". Retrieved 2009-11-21., Compiler based Structured Exception Handling section
- More specifically,
ntdll!RtlDispatchExceptionsystem routine called from
ntdll!KiUserExceptionDispatcherwhich is in turn called from the
nt!KiDispatchExceptionkernel function. (See Ken Johnson (November 16, 2007, 7:00 am). "A catalog of NTDLL kernel mode to user mode callbacks, part 2: KiUserExceptionDispatcher". for details)
- The message can be silenced by altering the process's error mode; the default last handler can be replaced with SetUnhandledExceptionFilter API
- "New Vectored Exception Handling in Windows XP".
- "Windows Server 2003 Discover Improved System Info, New Kernel, Debugging, Security, and UI APIs".