Get the callstack(s) when a kernel32.dll function is called

I have a process that changes its current directory, and I would like to know when and where it happens. How could I do that?

I tried setting a breakpoint in SetCurrentDirectoryA/SetCurrentDirectoryW wi开发者_JAVA百科th Visual Studio, but it does not work.

Are you debugging one of your own programs, or one that you don't have the source code for? The Visual Studio debugger isn't very friendly with regards to debugging no-source applications; in that case, I would recommend WinDbg or OllyDbg - or even skipping the debugger and write an instrumented logger using EasyHook.

EDIT:

Try setting a breakpoint at {,,kernel32.dll}_SetCurrentDirectoryA@4 - peculiar syntax and requires decorated names. Haven't tried it myself, but found it here. Google keywords: "visual studio breakpoint api" :)

You need to attach/debug the process using native code. If you by mistake are debugging using managed code you will not hit those breakpoints.

Your program may be changing directories using the msvcrt functions. You should try placing breakpoints on these functions as well:

_chdir
_chdrive