5

Is it possible to create a full memory dump of a Windows service when it crashes? Obviously, there are the well known postmortem debuggers, which can collect a memory dump of a failing process. But the problem with Windows services is that they are running within the system-context and not in the user-context. Can anybody help me?

Until now, I tried it with WinDbg:

  • I set up WinDbg as the default postmortem Debugger by executing WinDbg -I.
  • I verified that within both locations of the registry (HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug and HKLM\SOFTWARE\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\AeDebug) the two entries Auto and Debugger exist.
  • I configured WinDbg to automatically write memory dumps at startup by changing the Debugger entry to "Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp" -e %ld –g
  • I verified that WinDbg has privileges to the target location of the memory dump file with and without administrative privileges.

But it does not work. :(

If I write a normal user-mode application which intentionally crashes after startup, WinDbg pops-up and automatically writes the .dmp file to the target location. But if my service crashes, it does not. Within the task manager, I can see that WinDbg gets started after the process of my service crashes, but both just remain in the list without any dump file.

Allgaeuer
  • 725
  • 1
  • 7
  • 12

1 Answers1

4

Make sure that Auto for the AeDebug key is set to 1. Also change the windbg command line to: "Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp;qd" -e %ld –G

If you do not detach from the debuggee the debugger will wait for further commands. Also -G option will close the debugger immediately after the process ends. Simple to configure and probably more suited for such scenarios is procdump from sysinternals - it can also create full memory dumps and you install it with: procdump -ma -i D:\crashdump command.

Sebastian
  • 3,764
  • 21
  • 28
  • Guess you are right. But if I try this command procdump says: "No process matching the specified name is running." – Allgaeuer Dec 17 '13 at 14:51
  • Hmm that is strange. I will check it at home, but even on their page they have the same call in examples (http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx ).Make sure d:\crashdump folder exists. – Sebastian Dec 17 '13 at 15:03
  • Ah Sorry. It does not matter if the Folder already exists, but the functionality to register as Just-in-Time Debugger seems to be a newly added feature of ProcDump. Within my currently installed SysinternalsSuite, i had ProcDump v4.0. Thanks to your link, i downloaded the isolated executable, which is v6.0. Now the call works. Thank you. – Allgaeuer Dec 18 '13 at 07:17
  • 1
    @lowleveldesign Can the "-accepteula" option be used with the "-i" option? The procdump docs say only the "-ma", "-mp", "and "-d" options are allowed when using the "-i" option. Otherwise the first time his service crashes procdump will block waiting for him to accept the EULA (as the service account) but he won't see it because it's running in session zero. – Marc Sherman Dec 18 '13 at 19:55
  • @MarcSherman - thanks, that's a very good point! It seems that we can add this parameter to the command line. Therefore, the final procdump installation command should be: `procdump -accepteula -ma -i D:\crashdump`. – Sebastian Dec 19 '13 at 04:58
  • 1
    Looks like `procdump -i` adds "-accepteula", see https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging – Marc Sherman Oct 17 '19 at 17:19
  • Thank you very much for the hint to set the Auto value to 1! – niks Aug 23 '22 at 09:38