Understanding and Taking a Process Dump

Understanding and Taking a Process Dump

Introduction

In this article, we are going to understand and learn, How we can take a process dump of a Specific Windows Process which we can later use either for Debugging or send to Microsoft for a Review.

Process Dump is generally taken in times when you are troubleshooting on a specific application that is in a hung state and not responding. To understand the reason for the Application not responding, developers can take a dump of the process and understand where a thread is possibly stuck.

Types of Dump:

Two types of Process Dumps can be generated for a specific Process.

Mini Process Dump

  • This is the dump which generally is a small size capture of the Process.
  • They only contain basic process and stack details which can generally be useful in finding some of the already known issues.
  • Windows Error Reporting (WER) sometimes also captures these dumps in terms of any failure.
     

Full Process Dump:

Collecting a “Full” process dump of the crash will provide a dump containing all process code and memory, rather than only small critical sections of process structures and memory immediately adjacent to the site of the crash. 

 

Ways to Capture Process Dump:

 

ProcDump:

Link to Download: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

  • Procdump is a command-line utility that can be used in many useful scenarios while working with Application issues.
  • ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike
  • ProcDump also includes hung window monitoring, unhandled exception monitoring and can generate dumps based on the values of system performance counters.

 

Write a mini dump of a process named ‘notepad’ (only one match can exist):

C:\>procdump notepad

Write a full dump of a process with PID ‘4572’:

C:\>procdump -ma 4572

Write up to 3 minidumps of a process named ‘consume’ when it exceeds 20% CPU usage for five seconds:

C:\>procdump -c 20 -s 5 -n 3 consume

Write a mini dump for a process named ‘hang.exe’ when one of its Windows is unresponsive for more than 5 seconds:

C:\>procdump -h hang.exe hungwindow.dmp

Write a full dump of a process named ‘outlook’ when Outlook’s handle count exceeds 10,000:

C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000

Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:

 

Process Explorer 

Link to Download: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Let’s now talk about the GUI way of doing things. Process Explorer is a useful tool that can be used to review the various processes running over a windows operating System.

Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

Understanding and Taking a Process Dump

 

The Steps to Take Process Dump:

Right, Click on the Process which you want to take a dump of -> Select Create Dump -> Select Mini or Full Dump Based on your requirement.

Understanding and Taking a Process Dump

 

Using Good Old Task Manager:

Once we are aware of all the other ways of taking a Process Dump we will now learn about taking a Process dump using our Task Manager.
 

The Steps to Take Process Dump:

Open Task Manager: Right Click on a Process -> Create Dump File.

Understanding and Taking a Process Dump

Once Clicking the Option you will see the message box asking you to wait.

Understanding and Taking a Process Dump
Post that you can see the location under the local Temp where the Dump is being Saved.

Understanding and Taking a Process Dump

 

Automatic Dump Capture:

  • Incase if a Process is crashing the Windows Error Reporting should automatically be generating a Mini Dump of the Process which has terminated under C:\ProgramData\Microsoft\Windows\WER\” subdirectories
  • Collecting and submitting these existing mini-dumps for analysis can sometimes provide useful clues or confirmation of a previously-resolved issue. 
  • To have WER write a full process dump during future crashes, the following registry key and value must be created:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpType"=dword:00000002

Note the “LocalDumps” subkey typically does not exist by default and must be created in addition to the actual “DumpType” DWORD value within that subkey.

This will cause future crashes captured by WER to have full process dumps written instead of just mini-dumps.

 

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply