Introduction
In this article, we are going to understand and learn, How we can take a process dump of a Specific Windows Process which we can later use either for Debugging or send to Microsoft for a Review.
ProcDump is a command-line and UI utility from Microsoft, part of the Sysinternals suite, designed to monitor applications for CPU spikes and generate crash dumps during these spikes. This tool is invaluable for diagnosing and troubleshooting application issues, particularly those related to performance and crashes.
Process Dump is generally taken at times when you are troubleshooting a specific application that is in a hung state and not responding. To understand the reason for the Application not responding, developers can take a dump of the process and understand where a thread is possibly stuck.
Types of Dump:
Two types of Process Dumps can be generated for a specific Process.
Mini Process Dump
- This is the dump which generally is a small size capture of the Process.
- They only contain basic process and stack details which can generally be useful in finding some of the already known issues.
- Windows Error Reporting (WER) sometimes also captures these dumps in terms of any failure.
Full Process Dump:
Collecting a “Full” process dump of the crash will provide a dump containing all process code and memory, rather than only small critical sections of process structures and memory immediately adjacent to the site of the crash.
Ways to Capture Process Dump:
ProcDump:
Link to Download: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
- Procdump is a command-line utility that can be used in many useful scenarios while working with Application issues.
- ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike
- ProcDump also includes hung window monitoring, and unhandled exception monitoring and can generate dumps based on the values of system performance counters.
Write a mini dump of a process named ‘notepad’ (only one match can exist):
C:\>procdump notepadWrite a full dump of a process with PID ‘4572’:
C:\>procdump -ma 4572Write up to 3 minidumps of a process named ‘consume’ when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 consumeWrite a mini dump for a process named ‘hang.exe’ when one of its Windows is unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe hungwindow.dmpWrite a full dump of a process named ‘Outlook’ when Outlook’s handle count exceeds 10,000:
C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:
Process Explorer
Link to Download: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Let’s now talk about the GUI way of doing things. Process Explorer is a useful tool that can be used to review the various processes running over a windows operating System.
Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Steps to Take Process Dump:
Right, Click on the Process which you want to take a dump of -> Select Create Dump -> Select Mini or Full Dump Based on your requirement.
Using Good Old Task Manager:
Once we are aware of all the other ways of taking a Process Dump we will now learn about taking a Process dump using our Task Manager.
The Steps to Take Process Dump:
Open Task Manager: Right-click on a Process -> Create Dump File.
Once Clicking the Option you will see the message box asking you to wait.
Post that you can see the location under the local Temp where the Dump is being Saved.
Automatic Dump Capture:
- In case if a Process crashes the Windows Error Reporting should automatically generate a Mini Dump of the Process which has terminated under C:\ProgramData\Microsoft\Windows\WER\” subdirectories
- Collecting and submitting these existing mini-dumps for analysis can sometimes provide useful clues or confirmation of a previously resolved issue.
- To have WER write a full process dump during future crashes, the following registry key and value must be created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpType"=dword:00000002
Note the “LocalDumps” subkey typically does not exist by default and must be created in addition to the actual “DumpType” DWORD value within that subkey.
This will cause future crashes captured by WER to have full process dumps written instead of just mini-dumps.
