Imprint

Creating a dump in Microsoft WindowsPermanent link for this heading

Last update: 16 December 2024 (cf)

InformationPermanent link for this heading

In the following section we will list multiple possibilities for creating a memory dump in Microsoft Windows

Using Windows Task ManagerPermanent link for this heading

In order to create a dump of a live process follow these steps:

  • Start the Windows Task Manager.
  • Switch to the processes tab or Details Tab according to Windows version
  • Right click on the process you want to dump.
  • Select “Create dump file” from the context menu.
  • A dump will be created in C:\Users\UserName\AppData\Local\Temp
  • When the dump file creation was successful you can confirm the dialog by pressing “OK”

Using Windows Error Reporting (WER)Permanent link for this heading

The collection of dumps via the WER can be configured via the Windows registry:

The following values have to be defined in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

  • DumpFolder : The path where the dump files are to be stored. If you do not use the default path, then make sure that the folder contains ACLs that allow the crashing process to write data to the folder. For service crashes, the dump is written to service specific profile folders depending on the service account used. For example, the profile folder for System services is %WINDIR%\System32\Config\SystemProfile . For Network and Local Services, the folder is %WINDIR%\ServiceProfiles . Type : REG_EXPAND_SZ Default : %LOCALAPPDATA%\CrashDumps
  • DumpCount : The maximum number of dump files in the folder. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file. Type : REG_DWORD Default : 10
  • DumpType : Specify one of the following dump types:
  • 0: Custom dump
  • 1: Mini dump
  • 2: Full dump (recommended for dumps of Fabasoft products)

Type : REG_DWORD Default : 1

  • CustomDumpFlags : The custom dump options to be used. This value is used only when DumpType is set to 0. The options are a bitwise combination of the MINIDUMP_TYPE enumeration values. Type : REG_DWORD Default : MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData.

For further information please see Microsoft Learn: Collecting User-Mode Dumps.

Windows Debugging ToolsPermanent link for this heading

These tools are provided by Microsoft and can be obtained by visiting Debugging Tools for Windows.

Using WinDbgPermanent link for this heading

As part of the debugging tools WinDbg can be attached to any process and log crashes accordingly.

Here is a basic description of the WinDbg process:

  • Start WinDbg.exe
  • Menu File -> Attach to a process -> Select the process you want to debug or use F6
  • Continue the process with „g“
  • In case of a crash, this will be logged accordingly (with the possibility of a debug break or a call of breaking of the Windows Debugging Tools).
  • To save the dump use ".dump /f ".

For a in depth description of the options available with WinDbg please visit Debugging Using The Windows Debugger - WinDbg.

Using ADPlusPermanent link for this heading

ADPlus is another debugger that is contained in the Windows Debugging Tools, for an in depth description how to use it see Advanced troubleshooting for Windows start-up issues.

Here are some basic command lines that may be used in connection with Fabasoft products:

  • Using the script in crash mode to monitor crashing processes:
    cscript adplus.vbs -pn w3wp.exe -crash -o c:\dump -quiet -nodumponfirst
  • To monitor for processes that are not yet running (for example reoccurring AT Service processes) you can use this command line (example with adplus.exe):
    adplus.exe -Crash -pmn cooats2.exe -o c:\dump -NoDumpOnFirst      

cdb Debugger as Postmortem debuggerPermanent link for this heading

If you are using a system that is not able to create dumps using WER (e.g. Microsoft Windows Server below 2008), you can use cdb (also available from the Windows Debugging Tools) to automatically create these dumps.
The following settings have to be added to the registry of the affected server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]

"Auto"="1"

"Debugger"="\"C:\\Program Files\\Debugging Tools for Windows\\cdb.exe\" -p %ld -c \".dump -ma -u c:\\dump.dmp;q\" -e %ld -g"

For further information on postmortem debugging, visit Enabling Postmortem Debugging.

If Microsoft Visual Studio Just-In-Time Debugger (JIT Debugger) is handling a crashPermanent link for this heading

In some cases, Visual Studio writes its own debugger to the registry, so other debugging options (for example WER debugging) does not work.

To disable Visual Studio JIT debugger, delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger

ReferencesPermanent link for this heading

Microsoft Learn: Manually generate a memory dump file

Microsoft Learn: Collecting User-Mode Dumps

Microsoft Learn: Debugging Tools for Windows

Microsoft Learn: Debugging Using The Windows Debugger - WinDbg

Microsoft Learn: Advanced troubleshooting for Windows start-up issues

Microsoft Learn: Enabling Postmortem Debugging

Download PDF

Download PDF