This document discusses process dump files, which provide a snapshot of a running process that can be analyzed to diagnose problems. It explains that dump files contain valuable diagnostic information but are static and cannot be directly debugged. Several tools are described for creating dump files, including Task Manager, ntsd.exe, ADPlus, and ProcDump. Visual Studio and WinDbg are both capable of analyzing dump files, with WinDbg generally being better suited for the task. Links to additional debugging resources are also provided.
3. When ever we have a live system that we :
Have a limited access to the system
Don’t want or can’t install Visual Studio on it
Can’t Stop the service and attach a debugger to it
Log files are inefficient or non exists (90% of the cases)
Still Need to “Fix” the problem
4.
5. A dump file is a snapshot of a running process
Kernel dumps are snapshots of the entire system, but
we will not discuss them here
Dump files are useful for post-mortem
diagnostics and for production debugging
A dump can contain lots of information, A full
process dump takes at least as much as the
process’ virtual size.
It’s possible to take a smaller dump, e.g. only
thread stacks and loaded modules
6. Dump files are a static snapshot
You can’t debug a dump, just analyze it
Sometimes a repro is required (or more than
one repro)
Sometimes several dumps must be compared
7. On Vista and higher: Task Manager, right-click
and choose “Create Dump File”
8. Before Vista, use ntsd.exe
ntsd -pn app.exe -c ".dump /ma /u C:app.dmp; qd"
9. Use ADPlus from Debugging Tools for
Windows
Can do crash / hang dumps
Example command lines:
adplus -crash -o C:dumps -sc
C:myappmyapp.exe
adplus -hang -o C:dumps -p 1234
Can be configured further:
Dump on a specific exception
Perform additional debugger actions
…see documentation (Debugging Tools for
Windows)
10. Sysinternals utility for creating crash / hang
dumps
Can use process reflection (Windows 7) to
minimize process suspension time
Examples:
Procdump -h app.exe hang.dmp
Procdump -e app.exe crash.dmp
Procdump -c 90 app.exe excessive_cpu.dmp
11. Visual Studio can open dump files
But it’s not the perfect analysis tool
Visual Studio 2008 can handle native dumps
very well
Can’t handle managed dumps AT ALL
Visual Studio 2010 can handle both native and
managed dumps
For managed dumps, CLR 4.0 is required
12. WinDbg is usually much better at dump
analysis
Not that good for managed source code reading, but
everything else is much easier
Try !analyze -v for native dumps
Try opening a kernel (system) dump
13.
14.
15. Links
http://blogs.microsoft.co.il/blogs/noams
http://blogs.microsoft.co.il/blogs/sasha
(all your base are belong to us)
http://blogs.msdn.com/b/ntdebugging/
(ntdebugging)
http://blogs.technet.com/markrussinovich/
(Mark’s blog)