NOTE: This post has been updated in a new post due to an issue found with the steps in this post. The procedure is the same, but the steps here may only work with 32 bit dumps. Please read the post located at the address below:
In this post, we’ll see how to find out which queries were executing from a SQL Server memory dump. You might have a dump file from a crash of the SQL Service, or you may have taken a diagnostic dump with sqldumper.
What we do in this post assumes you are working with a full or filtered dump of SQL Server. For more information on dumping SQL Server, read this post:
Some of the objects contained in the dump that are needed to completely understand this process can only be resolved with private symbols. What this means is that to fully track down the executing query text, you need to be internal to MS with access to “private” symbols.
However, after finding the query text with the private symbols, we can quickly get to the query text with public symbols and a few specific memory addresses and offsets.
So first, set your public symbol path:
Search the stacks:
0:000> ~* k
You are looking for a stack that is executing a query. It will look like this:
msvcr80!_callthreadstartex+0x17 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\threadex.c @ 348]
msvcr80!_threadstartex+0x84 [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\threadex.c @ 326]
We are interested in the 3rd parameter of the sqlservr!CMsqlExecContext::ExecuteStmts call as seen below:
0e 00000000`0f6eee80 00000000`00e90fe3 : 00000064`00000000
This is the address of an object, and we need to dump 1 dword at an offset of 0x20 into this object:
0:041> dd 86909380+0x020 l1
The address at this offset into the object is a property that contains a pointer (another address) to the buffer that contains our query text. So we get our address from here:
0:041> dd 869093e0 l1
Now this is the address we need. So we dump unicode string on this address and we get our query:
0:041> du 86909470
00000000`86909470 "....select * from Sales.SalesOrd"
You should be able to follow this approach for most threads executing queries. The signature of the “ExecuteStmts” function (a method of the CMsqlExecContext object) should have the object address we need as the 3rd parameter provided the stack is the same (the method could be overloaded and take something else as the 3rd parameter in a different situation – but I’d have to check).