How to capture Exceptions in Process Monitor Traces using PocDump

ProcDump was updated to version 5 coming with some great new features targeting exception filtering and the like.

For instance you can now write a dump at the time a specific first chance exception was raised using the exception name:

procdump –ma –e 1 –f “System.Exception” myprocess.exe

 

What’s also new and little hidden it the possibility to trace exception information in Process Monitor (ProcMon) traces.

In order to do this, you just need to attach procdump to the process you are interested in and tell it to observe all 1st chance exceptions:

procdump –e 1 –f “” myprocess.exe

When you now collect a procmon trace while exceptions occur, you will see them as Debug Output Profiling Operation Events coming out of the attached procmon instance:

Notice: You need to enable Profiling events to be displayed and make sure procmon,exe is not filtered as it was default until version 5.

This will work for managed and unmanaged exceptions as well.

 

Limitation: As you might now ProcMon can show you the call stack of the events. However, as the profiling event is generated from procmon itself and not the process that is actually monitored, these call stacks do not indicate where the exception was thrown.