Grabbing .dmp files from crash dialogs

If you're a company wanting to get access to the data from the crash dialog, this article isn't for you.  But this is

Also, I am not an expert in this topic.

Now that that is off my chest, and we've all had fair warning, here's my scenario:  I've done something in an application that's caused it to crash and I get the "SomeProgram has encountered a problem and needs to close.  We are sorry for this inconvenience."  If you click on the "What data does this error report contain?" link, you'll notice it's also created a crash dump of the process. 

A couple of times I've wanted to look at the dump file that's sent to the Online Crash Analysis to see if it was my code on the stack.  Maybe it's a hard-to-repro thing, or maybe it doesn't repro under the debugger, yada yada.

Frustratingly, it's nearly impossible to get at that .dmp file.  If you happen to find it, you can't copy it aside.  And if you look for it after dismissing the dialog, the .dmp file has been deleted from the machine.

Or so I thought.  Here's the trick that worked for me on Windows XP Professional: use the backup utility to back up the .dmp file, then open it in Visual Studio or Windbg.  (I welcome anyone else's suggestions for a less painful process)

Creating an app that shows the dialog
(you can skip this step if you already have a crashy app).

  • Create a new Windows Forms Application in Visual Studio 2005
  • In Program.cs, add the following line before Application.Run
            Application.SetUnhandledExceptionMode(UnhandledExceptionMode.ThrowException);
  • Add a button to the form in the designer, double click on it and add the following code:
            private void button1_Click(object sender, EventArgs e) {
                throw new Exception("crash!");
            }
  • Control + F5 (run without debugging) your new crash-tastic application

When you click the button you should now see the famous dialog.  DON'T close it or you'll lose the .dmp!

Finding the .dmp file

It should be in your temp folder.  Here's how I find it quickly:

  • Start up a windows explorer (Windows+E) and put %TEMP% in your address bar to navigate to your temp dir
  • View->Details to get the timestamps of all the files in your temp directory
  • Click on the DateModified column to sort by date
  • Look for a .dmp file that would be close to when you thought you crashed the app

Verify you can't copy the file..

  • Try to copy/paste the .dmp file in Windows Explorer.

Now you see what I mean. (Cannot copy A8E2728: It is being used by another person or program.)  If you wait for the crash dialog to go away, the .dmp file will be removed from your machine.  So we have to take action now.

Open up the Backup utility

  • Start->All Programs->Accessories->System Tools->Backup
  • If you get the "Welcome to the Backup or Restore Wizard", swap to "Advanced Mode"
  • Once you're in "Advanced Mode", click on the "Backup" tab.

Back up the .dmp file (you'll have to back up the entire temp dir)

  • Navigate to the C:\Documents and Settings\JFo\Local Settings\Temp folder on the left hand tree.
  • Click on the checkbox for the temp folder in the left hand tree
  • In the right hand list, uncheck all the subfolders (e.g (C:\Documents and Settings\JFo\Local Settings\Temp\tempdir\))
  • Don't worry if there is no checkmark next to the .dmp file itself - it seems to work on folders specifically.
  • Click the "Browse..." button at the bottom of the dialog to pick the .bkf file to back up to (e.g. c:\BackupDumpFile.bkf)
  • Click the "Start Backup" button
  • In the "Backup Job Information" dialog, click "Start Backup"

Restoring the .dmp file from backup

  • In the backup utility, click the "Restore and Manage Media" option
  • Expand File in the left hand tree and navigate to BackupDumpFile.bkf
  • Expand "c:", "Documents and Settings", etc... until you get to the Temp folder.
  • When you've expanded the Temp folder, look for your .dmp file (if you click the modified column it will likely sort near the top)
  • Check the .dmp file on the right hand side
  • In the "Restore Files To" combo box, swap "Original location" to "Alternate location"
  • Click the "Browse..." button to pick a different folder or type in a new folder, e.g. "C:\tempbackup"
  • STOP!   Double check the settings to make sure you're restoring to the right spot and you have a warm and fuzzy feeling!
  • Click the "Start Restore"
  • Accept "Confirm Restore" dialog (if you're still feeling warm and fuzzy)

Look for the restored .dmp file on your disk:

  • Mine was restored to C:\tempbackup\Documents and Settings\Jessica\Local Settings\Temp
  • Open up windows explorer to find the file
  • If you have Visual Studio on your machine, double click it.  Otherwise open it up in Windbg (link below)
  • Hit F5 to run the dump file.

You should now see what state the program was in when it crashed - check the registers, get the call stack etc.

If you want to look at symbols, I'd recommend reading this article for how to set up the symbol server. You may also want to use strike to get a better picture of the CLR stack. In that case you may find using Windbg and SOS better.

For more information on working with .dmp files consult MSDN.