13

I want to take user dump of a process using powershell How can i do it? The same I get on rightclicking the process in Taskmanager

Shree
  • 233
  • 2
  • 3
  • 7

4 Answers4

11

Based on this article (archived) from Risksense.
MiniDump function from native comsvcs.dll Windows dll could be used.

Like:

Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump {ID-of-the-process} $Env:TEMP\my_dump_file.bin full
Simon Sobisch
  • 6,263
  • 1
  • 18
  • 38
Renat
  • 7,718
  • 2
  • 20
  • 34
  • 3
    Note that the dump file path cannot have spaces (quoting doesn't work). For the directory part of the path, one can work around by setting the current directory (or specify argument -WorkingDirectory for `Start-Process`) so we only have to pass the filename of the dump file to rundll32. – zett42 Aug 05 '20 at 15:42
2

The easiest way is to use Procdump from Sysinternals toolkit. Use Get-Process to get process id, which you can pass to Procdump for actual dumping.

Edit:

I'd still rather use readily available tools instead of the hard way. Have you got a valid business reason? Since you insist, there is a Win32 API call that creates user mode memory dumps. It can be invoked from .Net code, so either use P/Invoke or embed C# into your Powershell code. This is left as an exercise to the reader.

vonPryz
  • 22,996
  • 7
  • 54
  • 65
  • Is there a way to do it using some internal commands of Powershell or cmd or using wmi:? – Shree Mar 20 '13 at 14:54
  • I wanted to have this because I need this script to run on a number of different Machines. and I dont want to install them on each of them . – Shree Mar 21 '13 at 10:24
  • How to use `procdump` to collect a core on demand, i.e., now instead of waiting the process to crash or something else ? – Evandro Coan May 14 '21 at 08:00
0

Hi sorry I'm not much help. I've never used a DUP file before. But there is a WMI class called Win32_Process:

Get-WMIObject -Class Win32_Process

Not sure if that's the info you are looking for. Has different properties than Get-Process.

E.V.I.L.
  • 2,120
  • 13
  • 14
  • Win32_product looks like a typo to me. In addition, Win32_process does provide you a handle for process, but not a way to create a memory dump for one. – vonPryz Mar 21 '13 at 07:21
0

I had a similar use case where I needed to create a dump for an IIS process. Granted I could have used DebugDiag, but I ended up going down this path. Here's what I used (and works pretty well, I should add):

$procid = Get-Process | Where-Object {$_.ProcessName -eq 'w3wp'} | Select-Object ProcessName,Id
New-Item -Path "c:\temp\Dumps" -Type directory -Force
cmd.exe /c "c:\temp\procdump64.exe" $procid.id -accepteula -mp "c:\temp\Dumps"

Furthermore, you could use these dump files for analysis using DebugDiag too. So it's a win-win in my opinion.

PS: Theoretically, one could also get the Process ID using the Get-CimInstance cmdlet. So something like this would also work:

Get-CimInstance -Query "SELECT * from Win32_Process WHERE name LIKE 'w3wp%'"

Ujjowl Bose
  • 1