How to capture process dump on Windows when it crash randomly
57221
Created On 05/22/22 12:47 PM - Last Modified 07/13/23 07:53 AM
Objective
In scenarios where the process crash randomly we need to use dedicated tool which capture random process dump
Proc Dump is Microsoft Sys Internal tool which we can use for this purpose
Environment
- Windows OS
- Troubleshooting scenarios on Cortex XDR, Cortex XSIAM where the process crashes
Procedure
Download Procdump Microsoft Procdump
Procdump will dump process's memory automatically when it crashes (full process dump) when you follow the next steps.
- Create a folder for dumps
- Run next command from where procdump.exe is located: procdump -ma -i <the folder to dump into>
For Example: procdump -ma -i c:\dumps
- The procdump command sets procdump to run whenever there is an unhandled exception (a crash).
- This means that whenever any process crashes, a dump of the process will be taken and saved in the supplied path.
- Once done using procdump after collecting the dump please use the next command to disable procdump: procdump.exe -u
Additional Information
Palo Alto does not support the tool, The article is given in case customers are not aware of this tool to capture the process dump.
usage: procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]] [-f <filter,...>] [-g] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o] [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] [-64] <[-w] <process name or service name or PID> [dump file] | -i <dump file> | -u | -x <dump file> <image file> [arguments] >] [-? [ -e]
| Parameter | Description |
| -a | Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped. |
| -at | Avoid outage at Timeout. Cancel the trigger's collection at N seconds. |
| -b | Treat debug breakpoints as exceptions (otherwise ignore them). |
| -c | CPU threshold at which to create a dump of the process. |
| -cl | CPU threshold below which to create a dump of the process. |
| -d | Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL. |
| -e | Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions. |
| -f | Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter. |
| -fx | Filter (exclude) on the content of exceptions and debug logging. Wildcards are supported. |
| -g | Run as a native debugger in a managed process (no interop). |
| -h | Write dump if process has a hung window (does not respond to window messages for at least 5 seconds). |
| -i | Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options. |
| -k | Kill the process after cloning (-r), or at the end of dump collection |
| -l | Display the debug logging of the process. |
| -m | Memory commit threshold in MB at which to create a dump. |
| -ma | Write a dump file with all process memory. The default dump format only includes thread and handle information. |
| -mc | Write a custom dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). |
| -md | Write a Callback dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL. |
| -mk | Also write a Kernel dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size. |
| -ml | Trigger when memory commit drops below specified MB value. |
| -mm | Write a mini dump file (default). |
| -mp | Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%. |
| -n | Number of dumps to write before exiting. |
| -o | Overwrite an existing dump file. |
| -p | Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(<name>_<pid>)\counter" |
| -pl | Trigger when performance counter falls below the specified value. |
| -r | Dump using a clone. Concurrent limit is optional (default 1, max 5). CAUTION: a high concurrency value may impact system performance. - Windows 7 : Uses Reflection. OS doesn't support -e. - Windows 8.0 : Uses Reflection. OS doesn't support -e. - Windows 8.1+: Uses PSS. All trigger types are supported. |
| -s | Consecutive seconds before dump is written (default is 10). |
| -t | Write a dump when the process terminates. |
| -u | Treat CPU usage relative to a single core (used with -c). As the only option, Uninstalls ProcDump as the postmortem debugger. |
| -w | Wait for the specified process to launch if it's not running. |
| -wer | Queue the (largest) dump to Windows Error Reporting. |
| -x | Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only). |
| -64 | By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging. |
| -? | Use -? -e to see example command lines. |
ProcDump option flags: