How to take a ProcDump


ProcDump is a command line debugger tool which will dump the in-memory contents of the process of an application into a .dmp (dump) file. The dump file can be loaded by debuggers such as WinDbg and Visual studio for doing type of debugging called post-mortem debugging (i.e. debugging after the issue causing a problem reproduced). Dumps will contain the call stacks, registers and data of the application at the time the dump is taken. Its like a point in time snap-shot of an application.

Download:

You can download ProcDump here.

ProcDump
https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

Note on exceptions: A first chance exception is when an error is thrown in an application. Code has a chance to handle that exception. If the exception is not handled, then it becomes a second chance exception then the application crashes out and Windows handles the error as a second chance exception by killing the application's process. A hang dump is taken for conditions where you want a "now" snapshot of a process and is usually used for debugging issue where there is a hang or slowness exhibited by an application. Sometimes it's used to see what is loaded into a process at a given time. A crash dump is used for taking a dump when an application is crashing (second chance exception – the process will be killed).

Note on permissions: ProcDump should normally be run from an elevated command prompt.

Note about bitness: There are two versions of ProcDump in the download zip file. "procdump.exe" is for taking a dump of a 32bit process/application. "procdump64.exe" is for taking a dump of a 64-bit process/application. So, if your taking a dump of 32-bit Outlook then you would use procdump.exe

Note about matching symbols and source: If you want to be able to debug the dump with aligned symbols and source code then be sure the executable the dump is being taken for is from the same build of the application the symbols file (.pdb) was build in and that the source code matches. Symbols and source are not always needed for debugging a dump, however sometimes they are, and the executable, symbols and source and code need to be from the same build to properly line up for debugging. Debuggers use information from symbols to understand data and know where the code lines up with where you are at in the dump.

Some common parameters:

-e    Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.

-f    Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.

Note: This lets you take a targeted first chance exception dump. An application may have lots of fist chance exceptions thrown and handle them and there is no issue with those, however there could be one your looking to get a dump for. You can use -F with a filter of "" to get a list of first chance exceptions thrown as it runs then use the name of one of the exceptions in a secondary run of the application and using the -F parameter with the exception name. You may also have obtained the exception from a prior crash or error from debugging or from a logged exception.

-h    Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).

-n    Number of dumps to write before exiting. Consider using with -s.

-ma    Write a dump file with all process memory. The default dump format only includes thread and handle information.

Note: This is for taking a full dump. By default, a dump will only contain thread and handle information (a min-dump). Almost in all cases you will want to take a full dump.

-s    Consecutive seconds before dump is written (default is 10).

Note: this is useful for taking several dumps which is commonly used when trouble shooting hang scenarios. Consider using with -n.

-w    Wait for the application to launch and take a dump when specified by other command line options.

Note: You won't have a process ID of an application until its running. Services are not launched by command line, so you need a way to attach to it when it is started. The -w flag lets you attach ProcDump at the time the process is started by using its executable name.

Below are some common command lines…

To take a hang dump:

To immediately take a hang dump at the time the command for a running application based-upon its process ID:

procdump  -ma  1234

This will take a dump of the program with the process id of 1234.

This command line will take a dump of the running application "myapp.exe" immediately.

procdump -ma myapp.exe

Take a dump when an application crashes:

Adding the -e flag to the command line causes ProcDump to wait for exceptions and take a dump.

Take a dump for a second chance exception only:

procdump -e -ma myapp

Take a dump for a first chance exception and second chance exception:

procdump -e 1 -ma myapp

Display first chance exceptions without taking a dump:

Sometimes you may want to see what first chance exceptions are being thrown – a command line with -f "" will cause first chance exceptions to be displayed.

procdump -e 1 -f "" myapp.exe

Take a full dump when a specific first chance exception is thrown:

If the command line "procdump -e 1 -f "" myapp.exe" displayed an exception of "NotFound" then you can use the following command line to take a dump when that exception is thrown on a subsequent run of the application:

Full dump:

procdump -e 1 -ma -f NotFound myapp.exe

Mini dump:

procdump -e 1 -ma -f NotFound myapp.exe

Launch an application by its path and wait for a crash:

This will launch "myapp.exe" and attach to it and will create a dump if the application crashes.

procdump -e -ma -x C:\myappfolder\myapp.exe

Wait for the application to run then take a dump (per what is specified by other flags on the command line):

This is helpful when you want to attach to a service process from the point it spins up. This will take a full dump of "MyServiceProcess.exe" if it crashes from startup forward:

procdump -e -ma -w MyServiceProcess.exe

Write a dump when a hang is detected (the application's process is not active for 5 seconds):

procdump -h myhangingapp

Wait for a program to run then take a hang dump if a hang is detected:

    Procdump -h -w myhangingapp

Take a series of dumps in a row with some time spacing:

A single dump will tell you where you are at a given time. For troubleshooting hangs it helps to have several hang dumps in a row. You could run command lines one after the other to take them manually, however ProcDump has parameters to make this easier.

This line will take 5 mini dumps of "myapp" 10 seconds a part:

procdump -s 10 -n 5 myapp

This line will take 3 full dumps of "myapp" 20 seconds a part:

procdump -s 25 -n 3 myapp

Naming your dumps:

You can add the name of a dump file as a parameter at the end of the command line if you want to name it rather than going with the generated file name. Dump file names should end with ".dmp".

procdump -h myapp.exe myappdumpfile.dmp

Video training:

Defrag Tools: #9 – ProcDump
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-9-ProcDump

Defrag Tools: #10 - ProcDump – Triggers
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-10-ProcDump-Triggers

Defrag Tools: #11 - ProcDump - Windows 8 & Process Monitor
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-11-ProcDump-Windows-8--Process-Monitor

 


Comments (0)

Skip to main content