Trapping HANDLE creation in WOW64
It looks like you can only get the file handle information when doing a kernel debug. So there are 3 options.
- Do a local machine kernel debug, this shouldn't be a problem since you only need to get the file handle information and that will stay static. See the following: http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx
- Do a remote kernel debug of a VM machine. "Safer" in the sense you can't blow up your machine.
- BSOD your box and look at the dump that way. Again not a very nice thing to do to your box, but I've done similar things in the past when I needed to be able to do a full analysis on the machine without the machine state changing.