Got this question a few times this month … to go in a bit detail, the question is, how to I take the dump of winword (or any other exe for that matter), let’s say that you are automating winword and creating a new document, after creation of every document, you kill the word and restart it again .. when this code is kept running for an hr, winword crashes intermittently
We can’t use adplus.vbs –crash –pn winword.exe, because it will attach cdb.exe to winword and will take the dump only if the crash happens in the first invocation ..
We can’t use Image File Execution Options to attach the debugger every time winword is launched, because for one .. it makes the customer code very slow .. two .. and most of the time, it’s not unsuitable to use this on the production environment (isn’t even reliable on a client either J )
So, the answer is – use userdump.exe, the User Mode Process Dumper (userdump) dumps any running Win32 processes memory image (including system processes such as csrss.exe, winlogon.exe, services.exe, etc) on the fly, without attaching a debugger, or terminating target processes. Generated dump file can be analyzed or debugged by using the standard debugging tools.
The userdump generates dump file by several triggers;
- Dump by specifying PID or process name from command line
- Dump automatically when process being monitored caused exceptions
- Dump automatically when process being monitored exited
- Dump by pressing hot key sequence
Although, this doesn’t work well with x64, but this is a boon for i386 ( "Dump on Process Termination" is implemented by hooking into the System Service Table, but x64 Windows does not allow this type of hooking. Thus, "Dump on termination" is not supported on x64 systems. )
You can download it from User Mode Process Dumper Version 8.1