Creating a dump in Microsoft Windows

Last update: 20 February 2018

Information

In the following section we will list multiple possibilities for creating a memory dump in Microsoft Windows

Using Windows Task Manager

In order to create a dump of a live process follow these steps:

  1. Start the Windows Task Manager.
  2. Switch to the processes tab or Details Tab according to Windows version
  3. Right click on the process you want to dump.
  4. A dump will be created in Drive:\Users\UserName\AppData\Local\Temp
  5. When the dump file creation is successful you can confirm the dialog by pressing "OK"
Applies to
  • Windows Vista SP1 and above
  • Windows Server 2008 and above
References

Using Windows Error Reporting (WER)

The collection of dumps via the WER can be configured via the Windows registry:

The following values have to be defined in the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
  • DumpFolder : The path where the dump files are to be stored. If you do not use the default path, then make sure that the folder contains ACLs that allow the crashing process to write data to the folder. For service crashes, the dump is written to service specific profile folders depending on the service account used. For example, the profile folder for System services is %WINDIR%\System32\Config\SystemProfile. For Network and Local Services, the folder is %WINDIR%\ServiceProfiles. Type : REG_EXPAND_SZ Default : %LOCALAPPDATA%\CrashDumps
  • DumpCount : The maximum number of dump files in the folder. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file. Type : REG_DWORD Default : 10
  • DumpType : Specify one of the following dump types:
    • 0: Custom dump
    • 1: Mini dump
    • 2: Full dump (recommended for dumps of Fabasoft products)

    Type : REG_DWORD Default : 1

  • CustomDumpFlags : The custom dump options to be used. This value is used only when DumpType is set to 0. The options are a bitwise combination of the MINIDUMP_TYPE enumeration values. Type : REG_DWORD Default : MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData.

For further information please see the "References" section

Applies to
  • Windows Vista SP1 and above
  • Windows Server 2008 and above
References

Windows Debugging Tools

These tools are provided by Microsoft and can be obtained by by visiting WDK and WinDbg downloads .

Using WinDbg

As part of the debugging tools WinDbg can be attached to any process and log crashes accordingly.

Here is a basic description of the WinDbg process:

  • Start WinDbg.exe
  • Menu File -> Attach to a process -> Select the process you want to debug or use F6
  • Continue the process with “g”
  • In case of a crash, this will be logged accordingly (with the possibility of a debug break or a call of breaking of the Windows Debugging Tools).
  • To save the dump use ".dump /f ".

For a in depth description of the options available with WinDbg please visit Debugging Using WinDbg

Using ADPlus

ADPlus is another debugger that is contained in the Windows Debugging Tools, for an in depth description how to use it see How to use ADPlus.vbs to troubleshoot "hangs" and "crashes" .

Here are some basic command lines that may be used in connection with Fabasoft products:

  • Using the script in crash mode to monitor crashing processes:
    cscript adplus.vbs -pn w3wp.exe -crash -o c:\dump -quiet -nodumponfirst
  • To monitor for processes that are not yet running (for example reoccurring AT Service processes) you can use this command line (example with adplus.exe):
    adplus.exe -Crash -pmn cooats2.exe -o c:\dump -NoDumpOnFirst

     

cdb Debugger as Postmortem debugger

If you are using a system that is not able to create dumps using WER (e.g. Microsoft Windows Server below 2008), you can use cdb (also available from the Windows Debugging Tools) to automatically create these dumps.
The following settings have to be added to the registry of the affected server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Auto"="1"
"Debugger"="\"C:\\Program Files\\Debugging Tools for Windows\\cdb.exe\" -p %ld -c \".dump -ma -u c:\\dump.dmp;q\" -e %ld -g"

For further information on postmortem debugging please visit: Enabling Postmortem Debugging .

If Microsoft Visual Studio Just-In-Time Debugger (JIT Debugger) is handling a crash

In some cases, Visual Studio writes it's own debugger to the registry, so other debugging options (for example WER debugging) does not work.

To disable Visual Studio JIT debugger, delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger