Creating a dump in Microsoft Windows
Last update: 20 February 2018
Information
In the following section we will list multiple possibilities for creating a memory dump in Microsoft Windows
Using Windows Task Manager
In order to create a dump of a live process follow these steps:
- Start the Windows Task Manager.
- Switch to the processes tab or Details Tab according to Windows version
- Right click on the process you want to dump.
- Select “Create dump file” from the context menu.
- A dump will be created in C:\Users\UserName\AppData\Local\Temp
- When the dump file creation was successful you can confirm the dialog by pressing “OK”
Applies to
- Windows Vista SP1 and above
- Windows Server 2008 and above
References
Using Windows Error Reporting (WER)
The collection of dumps via the WER can be configured via the Windows registry:
The following values have to be defined in the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
- DumpFolder : The path where the dump files are to be stored. If you do not use the default path, then make sure that the folder contains ACLs that allow the crashing process to write data to the folder. For service crashes, the dump is written to service specific profile folders depending on the service account used. For example, the profile folder for System services is %WINDIR%\System32\Config\SystemProfile . For Network and Local Services, the folder is %WINDIR%\ServiceProfiles . Type : REG_EXPAND_SZ Default : %LOCALAPPDATA%\CrashDumps
- DumpCount : The maximum number of dump files in the folder. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file. Type : REG_DWORD Default : 10
- DumpType : Specify one of the following dump types:
- 0: Custom dump
- 1: Mini dump
- 2: Full dump (recommended for dumps of Fabasoft products)
Type : REG_DWORD Default : 1
- CustomDumpFlags : The custom dump options to be used. This value is used only when DumpType is set to 0. The options are a bitwise combination of the MINIDUMP_TYPE enumeration values. Type : REG_DWORD Default : MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData.
For further information please see the "References" section
Applies to
- Windows Vista SP1 and above
- Windows Server 2008 and above
References
Windows Debugging Tools
These tools are provided by Microsoft and can be obtained by by visiting WDK and WinDbg downloads .
Using WinDbg
As part of the debugging tools WinDbg can be attached to any process and log crashes accordingly.
Here is a basic description of the WinDbg process:
- Start WinDbg.exe
- Menu File -> Attach to a process -> Select the process you want to debug or use F6
- Continue the process with „g“
- In case of a crash, this will be logged accordingly (with the possibility of a debug break or a call of breaking of the Windows Debugging Tools).
- To save the dump use ".dump /f ".
For a in depth description of the options available with WinDbg please visit Debugging Using WinDbg
Using ADPlus
ADPlus is another debugger that is contained in the Windows Debugging Tools, for an in depth description how to use it see How to use ADPlus.vbs to troubleshoot "hangs" and "crashes" .
Here are some basic command lines that may be used in connection with Fabasoft products:
- Using the script in crash mode to monitor crashing processes:
cscript adplus.vbs -pn w3wp.exe -crash -o c:\dump -quiet -nodumponfirst - To monitor for processes that are not yet running (for example reoccurring AT Service processes) you can use this command line (example with adplus.exe):
adplus.exe -Crash -pmn cooats2.exe -o c:\dump -NoDumpOnFirst
cdb Debugger as Postmortem debugger
If you are using a system that is not able to create dumps using WER (e.g. Microsoft Windows Server below 2008), you can use cdb (also available from the Windows Debugging Tools) to automatically create these dumps.
The following settings have to be added to the registry of the affected server:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\Program Files\\Debugging Tools for Windows\\cdb.exe\" -p %ld -c \".dump -ma -u c:\\dump.dmp;q\" -e %ld -g"
For further information on postmortem debugging please visit: Enabling Postmortem Debugging .
If Microsoft Visual Studio Just-In-Time Debugger (JIT Debugger) is handling a crash
In some cases, Visual Studio writes it's own debugger to the registry, so other debugging options (for example WER debugging) does not work.
To disable Visual Studio JIT debugger, delete the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger