ProcDump is a command line debugger tool which will dump the in-memory contents of the process of an application into a .dmp (dump) file. The dump file can be loaded by debuggers such as WinDbg and Visual studio for doing type of debugging called post-mortem debugging (i.e. debugging after the issue causing a problem reproduced). Dumps will contain the call stacks, registers and data of the application at the time the dump is taken. Its like a point in time snap-shot of an application.
Notes: A first chance exception is when an error is thrown in an application. Code has a chance to handle that exception. If the exception is not handled, then it becomes a second chance exception then the application crashes out and Windows handles the error as a second chance exception by killing the application's process. A hang dump is taken for conditions where you want a "now" snapshot of a process and is usually used for debugging issue where there is a hang or slowness exhibited by an application. Sometimes its used to see what is loaded into a process at a given time. A crash dump is used for taking a dump when an application is crashing (second chance exception – the process will be killed).
Download:
You can download ProcDump here.
ProcDump
https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
NOTE: ProcDump should be run from an elevated command prompt.
Some common parameters:
-e Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.
-f Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.
Note: This lets you take a targeted first chance exception dump. An application may have lots of fist chance exceptions thrown and handle them and there is no issue with those, however there could be one your looking to get a dump for. You can use -F with a filter of "" to get a list of first chance exceptions thrown as it runs then use the name of one of the exceptions in a secondary run of the application and using the -F parameter with the exception name. You may also have obtained the exception from a prior crash or error from debugging or from a logged exception.
-h Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).
-n Number of dumps to write before exiting. Consider using with -s.
-ma Write a dump file with all process memory. The default dump format only includes thread and handle information.
Note: This is for taking a full dump. By default, a dump will only contain thread and handle information (a min-dump). Almost in all cases you will want to take a full dump.
-s Consecutive seconds before dump is written (default is 10).
Note: this is useful for taking several dumps which is commonly used when trouble shooting hang scenarios. Consider using with -n.
-w Wait for the application to launch and take a dump when specified by other command line options.
Note: You won't have a process ID of an application until its running. Services are not launched by command line, so you need a way to attach to it when it is started. The -w flag lets you attach ProcDump at the time the process is started by using its executable name.
Below are some common command lines…
To take a hang dump:
To immediately take a hang dump at the time the command for an running application based-upon its process ID:
Procdump -ma 1234
This will take a dump of the program with the process id of 1234.
This command line will take a dump of the running application "myapp.exe" immediately.
Procdump -ma myapp.exe
Take a dump when an application crashes:
Adding the -e flag to the command line causes ProcDump to wait for exceptions and take a dump.
Take a dump for a second chance exception only:
Procdump -e -ma myapp
Take a dump for a first chance exception and second chance exception:
Procdump -e 1 -ma myapp
Display first chance exceptions without taking a dump:
procdump -e 1 -f "" myapp.exe
Take a full dump when the first chance exception "NotFound" is thrown:
If the command line "procdump -e 1 -f "" myapp.exe" displayed an exception of "NotFound" then you can use the following command line to take a dump when that exception is thrown on a subsequent run of the application:
Full dump:
procdump -e 1 -ma -f NotFound myapp.exe
Mini dump:
procdump -e 1 -ma -f NotFound myapp.exe
Launch an application by its path and wait for a crash:
This will launch "myapp.exe" and attach to it and will create a dump if the application crashes.
procdump -e -ma -x C:myappfoldermyapp.exe
Wait for the application to run then take a dump (per what is specified by other flags on the command line):
This is helpful when you want to attach to a service process from the point it spins up. This will take a full dump of "MyServiceProcess.exe" if it crashes from startup forward:
procdump -e -ma -w MyServiceProcess.exe
Write a dump when a hang is detected (the application's process is not active for 5 seconds):
procdump -h myhungapp.exe
Take a series of dumps in a row with some time spacing:
A single dump will tell you where you are at a given time. For troubleshooting hangs it helps to have several hang dumps in a row. You could run command lines one after the other to take them manually, however ProcDump has parameters to make this easier.
This line will take 5 mini dumps of "myapp" 10 seconds a part:
procdump -s 10 -n 5 myapp
This line will take 3 full dumps of "myapp" 20 seconds a part:
procdump -s 25 -n 3 myapp
Naming your dumps:
You can add the name of a dump file as a parameter at the end of the command line if you want to name it rather than going with the generated file name. Dump file names should end with .dmp.
procdump -h myapp.exe myappdumpfile.dmp
Video training:
Defrag Tools: #9 – ProcDump
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-9-ProcDump
Defrag Tools: #10 - ProcDump – Triggers
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-10-ProcDump-Triggers
Defrag Tools: #11 - ProcDump - Windows 8 & Process Monitor
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-11-ProcDump-Windows-8--Process-Monitor