Defrag Tools #178 – Sysinternals ProcDump v9.0 | Defrag Tools

In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0

Multiple Dumps per trigger in multiple Dump Sizes:

  • -mm Write a ‘Mini’ dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
  • -ma Write a ‘Full’ dump file. Includes All the Image, Mapped and Private memory
  • -mp Write a ‘MiniPlus’ dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
  • -mc Write a ‘Custom’ dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a ‘Callback’ dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
  • -mk Also write a ‘Kernel’ dump file. Includes the kernel stacks of the threads in the process. OS doesn’t support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size

Kernel Dump Support:

Complete Thread Stack – Kernel & User

  • Open the User and Kernel Dumps in separate debuggers
  • Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
  • Awesome tool for hang debugging!

Debugging the Kernel Dump

  • Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
  • Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
  • View the Kernel Call Stack for each Thread in the Process:

!process -1 17

Debugging the User Dump

  • View the User Call Stack for each Thread in the Process (e.g.):

~*k
!pde.deep


from Channel 9 https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-178-Sysinternals-ProcDump-v90

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s