A real newbie question:

I would like to know what API Windows is using to update a device driver, so I mark a device driver node, right click and select "Update driver".

How can I debug what follows with Olly DBG?

If I attach Olly to mms, then it's not on any break point, since the process is running.

I would like to intercept the button click and see with Olly what follows

Thanks

It's probably using CreateService(...) or ZwSetSystemInformation(SystemLoadAndCallImage, ...).

You can also have OllyDbg break on windows messages sent to specific buttons (see the Windows view in OllyDbg's View menubar).

I prefer this one

Also, just to address this:

1) Technically it is at a breakpoint -- specifically at ntdll.DbgBreakPoint. Any breakpoints you set will be triggered by the app's main thread(s) if they encounter them. If you need to see Olly's analysis of mmc's code section, use the memory map to find it, Ctrl+G from the CPU window to go there, and then hit Ctrl+A to analyze it.

That said, if you know what API you want to breakpoint, you can go straight there in Olly without analyzing anything. Olly understands symbolic address references, so you can always tell it to go to "SS:[EBP+8]" or "user32.GetDlgItem". Setting a manual breakpoint at the EP of, say, GetDlgItem works perfectly fine; you just have to (trivially) trace your way to the user code. The call stack works wonders here, or even just hitting Alt+F9 (run til user code) in simple cases.

2) You can also start mmc.exe from within Ollydbg rather than attaching to a running mmc instance. You can even use the "Arguments" field if you need to debug something more complicated like "mmc.exe c:\windows\system32\compmgmt.msc"