Creating a W3WP Memory dump on Windows Server 2008 R2

On a web server with multiple application pools, there most likely will be multiple W3WP processes.  Therefore, the first action to take when creating a memory dump of a W3WP worker process is to find which W3WP process you need to get the dump of. 

To do this, open IIS 7 and select the web site which is having the problem, in this example, let’s assume the “Default Web Site”.  Then, in the Actions Pane select Basic Settings… as shown in Figure 1.

Figure 1, accessing application pool basic settings

Selecting Basic Settings… will open the window shown in Figure 2, where you will see the name of the Application pool in which this web sites runs.  In this case DefaultAppPool.

Figure 2, Web site basic settings window

Next, use the APPCMD tool to show a list of all running application pools with associated PID, as shown in Figure 3.

Figure 3, find application pool ID on Windows 2008

On Windows 2008 R2, you can find the application pool and PID within the task manager too, as shown in Figure 4.

Figure 4, Use task manager to find PID of application pool

Once you have the PID of the w3wp.exe worker process, download ProcDump from here, and execute the command line shown in Figure 5. 

Figure 5, ProcDump command example

Note: Figure 5 will create a 64bit memory dump.  ProcDump currently creates a 32bit dump by default, if your worker process is 64bit you need to add the -64 parameter to capture the dump correctly, simply place -64 before the –ma.

If you are experiencing high CPU for example and want to create the memory dump of a process once CPU utilization has exceed 90 percent for 15 seconds, your command would be similar to the following:

C:\>procdump –64 –ma –c 90 –s 15 –o 2028 w3wp-2028-cpu.dmp

If you are experiencing high memory utilization for example and want to create the memory dump of a process once memory utilization exceeds 2GB ,your command would be similar to the following:

C:\>procdump –64 –ma –m 2000 –o 2028 w3wp-2028-memory.dmp

If you are having a performance problem which doesn’t consume a lot of CPU or memory, you can take a number of dumps during the execution of the slow transaction, then analyze the dumps and see what is happening, by comparing the dumps.  This will be time consuming, but sometimes, it is an only remaining option.  The following example will take 3 dumps 5 seconds apart.

C:\>procdump –64 –ma –s 5 –n 3 2028 w3wp-2028-perf.dmp

Note: There are a large number of parameters which can be passed to ProcDump.  Those are discussed in detail on the ProcDump download page.

Once the dump is created you can analyze it using WinDbg and find the reason for the unwanted behavior.

An alternative method to create a memory dump of a W3WP process for a specific web site is to open Task Manager, as shown in Figure 6, right-click on the W3WP process and click Create Dump File.

Figure 6, Task Manager

You would do this, for example, if your W3WP process was consuming 100% of the CPU at the time you created the memory dump.  Only use this method if you are certain the issue is happening at the time you select Create Dump File.

The benefits of ProcDump is that you can configure it to create the memory dump based on many situations and are therefore more likely to capture a memory dump at the time the issue happens. 


Comments (9)

  1. Steve M says:

    Is there a way to use ProcDUmp to capture any process that runs ath cpu @ 100% for a length of time specified.

    We have an issue where 2 of our servers (exchnage 2010 cas Servers) from time to time cpu lock at 100% and no information is captured in the logs etc.

    We would like to capture the process doing this and hope procdump ha sthis ability.

  2. Yes, it is possible.  Use -c and -s.  -c is the CPU threshold and -s is the number of seconds which the threshold must remain breached before the memory dump is created.

  3. Deepesh says:

    This is a great atricle. Its so simple and informative. I have read so many article for memory analysis & this one is the simplest & easy to follow.

    Thank you

  4. Mattyd says:

    What is the best way to capture info using procdump for a memory leak?

  5. Vijay says:


    I tried this on my 64 bit iis C:PCProcdump>procdump -64 -ma -o 5484 w3wp-2028-cpu.dmp but it is not writing the dump. I just see the proc dump command back as below

    ProcDump v6.00 – Writes process dump files

    Copyright (C) 2009-2013 Mark Russinovich

    Sysinternals –

    With contributions from Andrew Richards

    Monitors a process and writes a dump file when the process exceeds the

    specified criteria or has an exception.

    usage: procdump [-64] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1

    [-b] [-f <filter,…>] [-g]]] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o]

    [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] <[-w] <process name or

    service name or PID> [dump file] | -i <dump file> | -x <dump file> <image file>

    [arguments] >

  6. Benjamin says:

    @Mattyd, to collect for a managed memory leak, I would take a series of memory dumps, maybe a few minutes apart and then try to find where the memory is being allocated to.  If it is a native leak, then check out the Debug Diagnostic tool and connect LeakTrack to the process.

    @Vijay, sometimes when you cut and paste the command I have here directly into the CMD windows you get this.  Please enter the commands in manually.

  7. Pavel says:

    Is this procedure transparent to end users or applications? Today i did try to generate a process dump for oracle.exe as it consumes a lot of memory without relesae. What I did is to use task manager, right click on oracle.exe and click create dump file. But it triggered a cluster failover when i did this dump creation, which introduced a several mins interruption to end users.

  8. AFAIK, the creation of a dump might cause some interuption, so take memory dumps only when you have a problem you need fixing.  I have never taken dumps of processes other than W3WP until now, and when I do that, no one has ever reported and downtime or domain recycle, etc…but be careful in production, test it in a test environment before doing it in production…always.

  9. rich says:

    Will not work unless you use “ProcDump -accepteula” with no hint this is a problem.