Capture a process memory dump with the Microsoft Technet procdump tool

Processes can sometimes terminate unexpectedly, i.e. "crash", often due to an unhandled exception being encountered during execution. There are several methods and tools available to enable capturing a memory dump of such a crash to help determine the root cause. One of these tools is a standalone tool called procdump. It is a simple, reliable and flexible way to capture a crashdump, and common uses of the tool are explained in this document.

The standalone tool procdump is part of the sysinternalssuite package of tools which can currently be downloaded from here:

http://technet.microsoft.com/en-gb/sysinternals/bb842062.aspx

The tool is run from the command line and various options are available. Some common uses follow:

Example 1. In this example procdump is attached to a running process which is expected to crash with an unhandled exception. When the process encounters the exception a full dump is created in the C:\Dumps folder:

c:\MyData\Tools\SysinternalsSuite>procdump -e -ma mdrv.exe C:\Dumps

ProcDump v6.00 – Writes process dump files

Copyright (C) 2009-2013 Mark Russinovich

Sysinternals – http://www.sysinternals.com

With contributions from Andrew Richards

Process: mdrv.exe (11372)

CPU threshold: n/a

Performance counter: n/a

Commit threshold: n/a

Threshold seconds: n/a

Number of dumps: 1

Hung window check: Disabled

Exception monitor: Unhandled

Exception filter: *

Terminate monitor: Disabled

Dump file: C:\Dumps\mdrv_YYMMDD_HHMMSS.dmp

Press Ctrl-C to end monitoring without terminating the process.

[13:43:01] Exception: C0000005.ACCESS_VIOLATION

[13:43:01] Unhandled: C0000005.ACCESS_VIOLATION

Unhandled Exception.

Writing dump file C:\Dumps\mdrv_140320_134301.dmp …

Writing 91MB. Estimated time (less than) 3 seconds.

Dump written.

The process has exited.

Example 2. In this example procdump waits for the specified process to run (in this example mdrv.exe) then attaches to the process. When the process encounters an unhandled exception a full dump is created in the C:\Dumps folder:

c:\MyData\Tools\SysinternalsSuite>procdump -e -ma -w mdrv.exe C:\Dumps

ProcDump v6.00 – Writes process dump files

Copyright (C) 2009-2013 Mark Russinovich

Sysinternals – http://www.sysinternals.com

With contributions from Andrew Richards

Waiting for process named mdrv.exe…

Process: mdrv.exe (10452)

CPU threshold: n/a

Performance counter: n/a

Commit threshold: n/a

Threshold seconds: n/a

Number of dumps: 1

Hung window check: Disabled

Exception monitor: Unhandled

Exception filter: *

Terminate monitor: Disabled

Dump file: C:\Dumps\mdrv_YYMMDD_HHMMSS.dmp

Press Ctrl-C to end monitoring without terminating the process.

[13:44:33] Exception: C0000005.ACCESS_VIOLATION

[13:44:33] Unhandled: C0000005.ACCESS_VIOLATION

Unhandled Exception.

Writing dump file C:\Dumps\mdrv_140320_134433.dmp …

Writing 91MB. Estimated time (less than) 3 seconds.

Dump written.

The process has exited.

Example 3. Sometimes attaching procdump to a process can prevent the exception and subsequent crash from actually happening. In these rare cases it may be possible to catch the exception and create a dump by configuring procdump as the Just-in-Time debugger.

Note! The following use of procdump will modify the registry AeDebug key (in multiple places in 64-Bit Operating Systems). You should take a note of the original Keys and Values of the following key on a 32-bit System before proceeding:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

And additionally on a 64-bit System:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug

c:\MyData\Tools\SysinternalsSuite>procdump -ma -i C:\dumps

ProcDump v6.00 – Writes process dump files

Copyright (C) 2009-2013 Mark Russinovich

Sysinternals – http://www.sysinternals.com

With contributions from Andrew Richards

Set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

(REG_SZ) Auto = 1

(REG_SZ) Debugger = "c:\MyData\Tools\SysinternalsSuite\procdump.exe" -ma -j "C:\dumps" %ld %ld %p

ProcDump is now set as the Just-in-time (AeDebug) debugger.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s