Many services run in the SVCHOST host process rather than under its own executable. Because of this, it may be difficult to dump a particular service unless you are able to isolate that particular service from the other services loading under SVCHOST .
if Winmgmt services is suspected of spiking the CPU to 99% and you need to dump only Winmgmt services and not all of Svchost.
There are several ways to dump a particular service:
1. Use Debug Diagnostic Tool (DebugDiag) 1.2.
2. Use the following batch file:
FOR /F "tokens=2 delims=," %%A IN ('tasklist /svc /FI "services eq winmgmt" /NH /FO csv') DO SET PID=%%~A
Where adplus.exe is the tool shipped in Debugging Tools for Windows.
But in some case, the above ways cannot help. For example, you set up some breakpoints for IIS worker process (w3wp.exe) by adplus.exe. While the breakpoin is hit, you need to generate dump files for winmgmt service. The above batch file cannot work in .shell command in windbg.
You may need a simple command line tool to generate dump file for a particular service.
The attached AutoDumpSvc can work with Debugging Tools for Windows.
1. Put this tool in the same folder as adplus.exe (Debugging tools for Windows, .Net Framework 2.0 is required)
autodumpsvc.exe -sn <service name> -o <output directory>
For example: autodumpsvc.exe -sn winmgmt -o c:\dumps
Xin Jin from APGC DIS Team