Taking dumps on different scenarios

"Hello World"!

Sometime you need to get your hands dirty with low level debugging. In such cases everything starts with the capture of a full memory dump, at the right moment, with the right method.

Why a full memory dump? Because otherwise the dump will not contain all the user-mode process's memory and therefore some type of analysis cannot be performed (i.e.: no managed heap)

What you need? A debugger, I suggest to use procdump from sysinternals because is really lightweight and powerful.

We can identify five major pattern/scenario:

  1. Manual dump
  2. Crash (Unhandled exception)
  3. Hang (Freeze)
  4. High CPU
  5. Inner handled Exception

1 - Manual dump

When you need to capture a dump of an application at your convenience. You can even use the Windows task manager for this action.

With procdump:

      Procdump -ma <PID> <path_output_file.dmp>

2 - Crash (Unhandled exception)

The application is terminating/crashing for an exception not handled (are you missing a try/catch?). In this scenario you need to attach a debugger and configure it to create a dump in case of a second chance (unhandled) exception, then wait for the next occurrence.

With procdump:

      Procdump -e -ma <PID> <path_output_file.dmp>

3 - Hang (Freeze)

Same examples of this scenario: the application is not responding, the main window became white, the Windows service stuck in starting/stopping phase. In this scenario you need to capture more than one dump, because the analysis must be performed over a period of time to understand if the process is really stopped on the same point. Usually three dumps taken with some seconds of delay are enough.

With procdump you can create three dumps with a delay of 30s in only one line:

      Procdump -n 3 -s 30 -ma <PID> <path_output_file.dmp>

4 - High CPU

The analysis of this scenario is similar to the Hang case, you still need more than one dump. This time the goal is to identify if the process is doing the same thing (therefore similar/equal callstack) in different points of time.

With procdump you can take a series of three dumps immediately during the problem:

      Procdump -n 3 -s 30 -ma <PID> <path_output_file.dmp>

or you can setup procdump to automatically dump if the CPU goes over a threshold (-c parameter):

      Procdump -n 3 -s 30 -ma  -c 80 <PID> <path_output_file.dmp>

5 - Inner handled Exception

Sometimes you might need to dump on an inner (first chance) exception, thus an exception that has been handled and is not crashing the application. The only way to capture a dump is to attach a smart debugger and configure it to dump only for that specific exception as soon as it is raised. This task might require to write a script for complex scenario.

With procdump fortunately you do not need a script and this command line works for managed and unmanaged exceptions:

      Procdump -e 1 -ma -f <CustomExceptionName> <PID> <path_output_file.dmp>

Skip to main content