ProcDump

By Mark Russinovich and Andrew Richards

Published: May 16, 2017

Download ProcDump (439 KB)

Download ProcDump for Linux (GitHub)

Introduction

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.

Using ProcDump

usage: procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]] [-f ] [-g] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o] [-p|-pl counter threshold] [-r] [-t] [-d ] [-64] <[-w]< process name or service name or PID> [dump file] | -i | -u | -x

[arguments]> ] [-? [ -e]

ParameterDescription

-a	Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.
-at	Avoid outage at Timeout. Cancel the trigger's collection at N seconds.
-b	Treat debug breakpoints as exceptions (otherwise ignore them).
-c	CPU threshold at which to create a dump of the process.
-cl	CPU threshold below which to create a dump of the process.
-d	Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.
-e	Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.
-f	Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.
-fx	Filter (exclude) on the content of exceptions and debug logging. Wildcards are supported.
-g	Run as a native debugger in a managed process (no interop).
-h	Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).
-i	Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options.
-k	Kill the process after cloning (-r), or at the end of dump collection
-l	Display the debug logging of the process.
-m	Memory commit threshold in MB at which to create a dump.
-ma	Write a dump file with all process memory. The default dump format only includes thread and handle information.
-mc	Write a custom dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex).
-md	Write a Callback dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL.
-mk	Also write a Kernel dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size.
-ml	Trigger when memory commit drops below specified MB value.
-mm	Write a mini dump file (default).
-mp	Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.
-n	Number of dumps to write before exiting.
-o	Overwrite an existing dump file.
-p	Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(_)\counter"
-pl	Trigger when performance counter falls below the specified value.
-r	Dump using a clone. Concurrent limit is optional (default 1, max 5). CAUTION: a high concurrency value may impact system performance. - Windows 7 : Uses Reflection. OS doesn't support -e. - Windows 8.0 : Uses Reflection. OS doesn't support -e. - Windows 8.1+: Uses PSS. All trigger types are supported.
-s	Consecutive seconds before dump is written (default is 10).
-t	Write a dump when the process terminates.
-u	Treat CPU usage relative to a single core (used with -c). As the only option, Uninstalls ProcDump as the postmortem debugger.
-w	Wait for the specified process to launch if it's not running.
-wer	Queue the (largest) dump to Windows Error Reporting.
-x	Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only).
-64	By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.
-?	Use -? -e to see example command lines.

If you omit the dump file name, it defaults to< processname>_.dmp.

Use the -accepteula command line option to automatically accept the Sysinternals license agreement.

Automated Termination:
Setting an event with name "procdump-" is the same as typing Ctrl+C to gracefully terminate ProcDump

Filename:
Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp
The following substitutions are supported:
PROCESSNAME Process Name
Process ID PID
EXCEPTIONCODE Exception Code
YYMMDD Year/Month/Day
HHMMSS Hour/Minute/Second

Examples

Write a mini dump of a process named 'notepad' (only one match can exist):

C:\>procdump notepad

Write a full dump of a process with PID '4572':

C:\>procdump -ma 4572

Write 3 mini dumps 5 seconds apart of a process named 'notepad':

C:\>procdump -s 5 -n 3 notepad

Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:

C:\>procdump -c 20 -s 5 -n 3 consume

Write a mini dump for a process named 'hang.exe' when one of it's Windows is unresponsive for more than 5 seconds:

C:\>procdump -h hang.exe hungwindow.dmp

Write a mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10 seconds:

C:\>procdump outlook -p "\Processor(_Total)\% Processor Time" 20

Write a full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:

C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000

Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:

C:\>procdump -mp -e store.exe

Display without writing a dump, the exception codes/names of w3wp.exe:

C:\>procdump -e 1 -f "" w3wp.exe

Write a mini dump of w3wp.exe if an exception's code/name contains 'NotFound':

C:\>procdump -e 1 -f NotFound w3wp.exe

Launch a process and then monitor it for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumps consume.exe

Register for launch, and attempt to activate, a modern 'application'. A new ProcDump instance will start when it activated to monitor for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumpsMicrosoft.BingMaps_8wekyb3d8bbwe!AppexMaps

Register for launch of a modern 'package'. A new ProcDump instance will start when it is (manually) activated to monitor for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumps Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe

Register as the Just-in-Time (AeDebug) debugger. Makes full dumps in c:\dumps.

C:\>procdump -ma -i c:\dumps

See a list of example command lines (the examples are listed above):

C:\>procdump -? -e

Related Links

• Windows Internals Book
  The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
• Windows Sysinternals Administrator's Reference
  The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.

Download ProcDump (439 KB)

Download ProcDump for Linux (GitHub)

Runs on:

• Client: Windows Vista and higher.
• Server: Windows Server 2008 and higher.

Learn More

• Defrag Tools: #9 - ProcDump
  This episode of Defrag Tools covers what the tool captures and expected outage durations
• Defrag Tools: #10 - ProcDump - Triggers
  This episode covers trigger options in particular 1st & 2nd chance exceptions
• Defrag Tools: #11 - ProcDump - Windows 8 & Process Monitor
  This episode covers modern application support and Process Monitor logging support

 

 

참고

[개요]

• 이 문서는 어플리케이션 프로세스의 메모리덤프를 생성하는 방법을 기술합니다. 블루스크린(BSoD) 등과 관련된 커널메모리 덤프는 다루지 않습니다.
• 기술지원 담당자 등 자신이 개발하지 않은 프로세스의 메모리덤프를 작성해야 하는 분들을 위해 작성되었습니다.

 

 

[프로세스 Crash 발생시 메모리덤프 생성하기]

• 프로세스에 오류가 발생하여 Crash될 때 자동으로 덤프를 생성하는 방법입니다.
• Crash가 발생하기 전에 미리 설정해놓아야 합니다.

 

[방법1] procdump를 이용하는 방법

• 다음의 위치에서 procdump.exe를 다운로드받아 임의의 위치에 압축해제합니다. (예 : C:\temp )

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

• 관리자 권한으로 커맨드 쉘(cmd.exe)을 실행하여 다음의 명령을 실행합니다. (폴더 경로를 생략하는 경우 procdump.exe가 존재하는 위치에 생성됩니다.

procdump.exe -ma -i [덤프파일 생성할 폴더경로]

 

 

• 이제 시스템에서 어떤 프로세스든 비정상 종료하게 되면 메모리덤프 파일이 생성됩니다.

 

• 메모리덤프 설정을 해제하려면 다음과 같이 명령을 입력하면 됩니다.

procdump.exe -u

 

 

[방법2] WER (Windows Error Reporting)을 이용하는 방법

• Vista 이후부터 윈도우즈에서 실행중인 프로세스가 오류를 일으켜 Crash가 발생하면 메모리덤프를 생성하고 Microsoft로 전송하는 기능이 생겼습니다.
• 기본설정의 경우 Microsoft로 전송된 메모리덤프는 삭제되는데, 다음의 레지스트리 위치에 키를 생성하고 값을 설정하면 메모리덤프를 로컬에 남길 수 있습니다.

키 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

 

값이름 : DumpFolder

Type : REG_EXPANDSZ

값 : C:\temp\dump

 

값이름 : DumpType

Type : REG_DWORD

값 : 2

 

 

 

 

• 자세한 내용은 다음의 링크를 참조하시기 바랍니다.

https://docs.microsoft.com/ko-kr/windows/desktop/wer/collecting-user-mode-dumps

 

 

[방법3] Dr.Watson을 사용하는 방법

• WindowsXP에서 사용하는 방법입니다.
• 다음의 링크를 참조하시기 바랍니다.

http://kuaaan.tistory.com/213

 

 

 

[실행중인 프로세스의 메모리덤프 생성]

• 오류 없이 실행중인 프로세스의 메모리덤프를 생성하는 방법입니다.
• 주로 Hang, DeadLock, CPU과점유 등의 이슈가 발생한 프로세스의 원인을 분석할 때 필요합니다.

 

[방법1] 작업관리자를 이용하는 방법

 

1. 다음 스크린샷을 참고하시기 바랍니다.

 

2. 메모리덤프는 %temp% 폴더에 생깁니다. (시작 > 실행 > 명령창에 %temp% 를 명령하고 엔터치면 바로 이동이 가능합니다.)

 

 

[방법2] procdump 를 이용하는 방법

1. 별도의 실행파일을 다운로드받아야 한다는 번거로움이 있지만, 스크립트 등을 이용해 자동화할 수 있고 'CPU 80% 이상 점유하는 경우에 덤프 생성' 등 다양한 기능을 사용할 수 있습니다. (procdump /? 참조)

 

2. 관리자 권한 커맨드 쉘에서 다음과 같이 입력하면 됩니다.

procdump.exe notepad.exe (프로세스 이름으로 덤프 : 매치되는 프로세스가 1개인 경우에 한함)

procdump.exe 12776 (프로세스ID)