How to take process traces and dumps using ProcMon and ProcDump

Case #

You have issues with OS or application processes crashing or misbehaving and you need to find the root cause of the issue.

Solution #

Process Monitor #

First check all relevant OS event logs and application logs and determine the conditions under which the issue is happening. If you can replicate the issue and determine its time spawn and frequency, you should run Process Monitor (ProcMon) to take a trace while the issue is being replicated.

You can download Process Monitor from https://docs.microsoft.com/en-us/sysinternals/downloads/procmon.

Event Properties screenshot

ProcDump #

If you cannot determine the times at which the process crash or misbehavior occurs, then you should run Process Dump (ProcDump) which will proactively run from the command line and "listen" to a specific process ID (PID). When the PID crashes/terminates, ProcDump will automatically take a process dump and save it in the same folder where the tool is running from. Run the command below to accomplish this process dump flow. In order to get the PID you can run the Get-Process Powershell cmdlet.

procdump -ma -t PID

You can download ProcDump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump.

An example of running the procdump command for an application process is shown below. When the app with PID 21192 shuts down, a .dmp process dump file is created automatically and the procdump command exits.

Dmp file analysis #

To analyze .dmp files there are multiple tools available, some of the most prominent ones being the following:

  1. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
  2. https://www.nirsoft.net/utils/blue_screen_view.html

Sources #

https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Powered by BetterDocs