How to Dump when a Function Fails

So here are the steps you can use in the debugger to get it to create a process dump when a given function fails.  Please note that this is only for a native function and not a managed (.NET) function.

First, find the ret instruction for the function you're interested in...

 0:000> uf ole32!CoCreateInstanceEx
ole32!CoCreateInstanceEx:
  140 775002ce 8bff             mov     edi,edi
  140 775002d0 55               push    ebp
  140 775002d1 8bec             mov     ebp,esp
  148 775002d3 6a00             push    0x0
  148 775002d5 ff751c           push    dword ptr [ebp+0x1c]
  148 775002d8 ff7518           push    dword ptr [ebp+0x18]
  148 775002db ff7514           push    dword ptr [ebp+0x14]
  148 775002de ff7510           push    dword ptr [ebp+0x10]
  148 775002e1 ff750c           push    dword ptr [ebp+0xc]
  148 775002e4 ff7508           push    dword ptr [ebp+0x8]
  148 775002e7 e809000000     call ole32!CComActivator::DoCreateInstance (775002f5)
  149 775002ec 5d               pop     ebp
  149 775002ed c21800           ret     0x18        <---------- HERE

Then set the breakpoint...

 0:000> bu 775002ed ".if((@eax & 0`ffffffff) == (800401f3))
      {.dump /ma /u C:\InvalidClassString.dmp;g}.else{g}"

Note: In this case I'm checking for a specific HRESULT, and note the bit-masking crud (see the "sign extension of registers" topic on the debugger.chm for more info).