How to install Windbg and get your first memory dump


Install Windbg


Windbg is the tool for the ASP.NET support engineer. It is free and it’s available at www.microsoft.com/whdc/devtools/debugging/default.mspx. The learning curve is steep to say the least, but if you’re interested in finding out what is going on behind the scenes in your application, then Windbg is your new best friend. For information on how to configure windbg, please refer to the documentation. Pay special attention to the section concerning symbols.


There is an extension called SOS.dll that you will want to use. You’ll find it in the framework directory so for Framework 2.0 look in “C:\Windows\Microsoft.NET\Framework\v2.0.50727”. You might want to copy it into the same folder as windbg for easy access.


Get a memory dump


Windbg will allow you to either perform a post mortem analysis on a memory dump or to attach to a process during execution. I mainly deal with memory dumps, since it’s a lot easier to request a single file from a customer rather than access to their server. Maybe I’ll cover live debugging in another post, but for now we’ll just look at dump files.


Vista


If you’re running Windows Vista, then you can easily create a dump file from the task manager. Simply open up the “Processes”-tab, right-click the process you wish to dump and select “Create Dump File”.


Adplus


For any other system or if you want to specify certain conditions I’d recommend using a script called adplus. It comes with the Windbg installation and is run from the command prompt. Adplus will take a number of arguments, but for basic operation there are two things you need to specify:



  1. When to take the dump
  2. The name or process ID of the process you wish to take a dump of

The dumps generated by adplus will be saved to a subfolder of the folder where you’ve installed windbg.


For example:


adplus -crash -pn w3wp.exe

This will generate a full memory dump right before any process named w3wp.exe terminates or recycles. This will also generate minidumps on all first chance exceptions.


 


adplus -crash -pn w3wp.exe -NoDumpOnFirst

 


Same as above, but without the minidumps.


 


adplus -hang -p 2960

This will immediately get a full dump of the process with ID 2960. Commonly used when the process has hung, or is generally unresponsive. Hence the name.


 


Advanced Adplus


If you’re trying to pin down the cause of a specific exception, then you can use a config file. This is a sample config file that will create a full memory dump once a System.Runtime.InteropServices.COMException occurs. Simply copy the code below into notepad and save it as MyConfig.cfg.


<ADPlus>
 <Settings>
  <RunMode> CRASH </RunMode>
 </Settings>  <PreCommands>
  <Cmd> !load clr10\sos</Cmd>
 </PreCommands>  <Exceptions>
  <Option> NoDumpOnFirstChance </Option>
  <Option> NoDumpOnSecondChance </Option>
  <Config>
   <!– This is for the CLR exception –>
   <Code> clr </Code>
   <Actions1> Log </Actions1>
   <CustomActions1> !clr10\sos.cce System.Runtime.InteropServices.COMException 1; j ($t1 = 1) ‘.dump /ma /u c:\dumps\exceptiondump.dmp;gn’ ; ‘gn’ </CustomActions1>
   <ReturnAction1> GN </ReturnAction1>
   <Actions2> Void </Actions2>
   <ReturnAction2> GN </ReturnAction2>
  </Config>
 </Exceptions>
</ADPlus>

As you can see you can easily adjust the config so that it gets a dump on any other exception. The dump will be saved in c:\dumps, so you should also make sure that this folder exists. When you’re ready, run adplus with the following syntax:


adplus -c myconfig.cfg -pn w3wp.exe

  


Debugging through a Terminal Server session


If you don’t have direct access to the server you need to either attach noninvasively or schedule the command you wish to run. This can seem  a bit complicated, but there’s a pretty good howto written in the knowledge base under the following article: http://support.microsoft.com/default.aspx/kb/323478


Well I guess that’s all for now.


/ Johan

Comments (17)

  1. Hi Johan,

    Great stuff! Thanks for sharing it, and also for the "Advanced Adplus" section in particular!

    Couple of things which I think is worth mentioning is that you can’t take automatic dumps (u can connect to session 0, I believe though!) by using adplus.vbs if you are using Terminal Service to login to the problematic box and setting up a rule for crash.

    adplus -crach -pn w3wp.exe -NoDumpOnFirst

    Besides, in IMHO DebugDiag is doing a pretty good job these days because of its easy to use GUI.

    http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

    Now, the most trivial thing… adplus -crach -pn w3wp.exe -NoDumpOnFirst… is obviously mis-spelt!

    Thanks,

    Rahul Soni

  2. JohanS says:

    Hi Rahul,

    Thanks for the feedback. Good point on including the information for Terminal Services. I’ve updated the post and linked to a good kb-article on the subject.

    I corrected the typo too. Good catch! 🙂

    DebugDiag is great, and I’ve used it quite a lot. I sort of swing back and forth between adplus and DebugDiag. For a while I preferred DebugDiag because of its friendly GUI, but right now I favor adplus. I guess it’s because I find it easier to send a few command lines to a client rather than a couple of screenshots.

    Cheers / Johan

  3. Rohit says:

    Hi All,

    Can anyone tell me how do I get memory dump for a exe which terminates in very less time.

    Since then I dont have process ID nor process name since it remains for very short duration.

    Thanks ..

    Rohit

  4. JohanS says:

    Hi Rohit,

    Start windbg and run the application directly from windbg (I’m assuming that this is a winforms application or similar.)

    Windbg will load the .exe and immediately break. Type "g" (go) and press enter.

    When the process terminates windbg will automatically break again. You can then investigate the process or save a dump using the .dump command.

    / Johan

  5. alik levin's says:

    Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal

  6. Revealing clear text passwords in memory seems to be a trivial task. This post describes how to reveal

  7. .NET Debugging Demos This is a series of debugging demos aimed to help you get some hands on experience

  8. Justin says:

    .NET调试实例

    这是一个系列的调式实例,目的是为了帮助你在调式.NET应用程序中最常见的挂起(Hang)、性能(performance)、内存(memory)和系统崩溃(crash)方面获得一些…

  9. Satyabrata Paul says:

    Hi Johan

       Thanks for this article.

       I am trying to configure my windbg but unable to do so. I need your help regarding this. I am developing a web and using visual studio 2005 and framework 2.0. Please help me how to configure the windbg to debug my web application as we are facing problems with memory leak.

    I have already installed windbg and copy and paste the sos.dll to the windbg folder according to mentioned above.

    Thanks and regards

    Satyabrata Paul

    satyabrata.paul@gmail.com

  10. Kan Guru says:

    Hi,

    How do I get complete memory dump without specifying process id or name? The issue here is all the process seems to work fine however the responds too slowly and a reboot will resolve it.

    Appreciate you help on this.

  11. Srinivas says:

    Use Process Explorer to get a complete dump.

  12. Mik says:

    Hi, I've question, how to use .dump command in windbg with parameter "/kpmf"? Thanks.

  13. I tried following command for /kpmf : ".dump /kpmf -file C:xyz.dmp".

  14. stan.chen says:

    Thanks for the great article. However, when I run adplus -crash -pn w3wp.exe in the window 2008R2, I got an error saying "An output directory was not dfined." Can you help?

    Thanks

    Stanley

  15. Jakub says:

    I wish you bothered to include in your article how to actually run windbg.exe. The file is nowhere to be found after instalation. Same with your adplus.

    I wish I didnt waste my time trying to get help here. I'm totally furious.

  16. Anonymous says:

    It's 2015.

    It's impossible to install WinDbg anymore.