0

I setup procdump to collect crash dump using following command

procdump -ma -i c:\dumps

I now see following dump files.

MyProcess.exe_150422_041763.dmp
MyProcess.exe_150422_153851.dmp
MyProcess.exe_150422_106442.dmp
MyProcess.exe_150422_043551.dmp
MyProcess.exe_150422_083220.dmp

What are the different numbers appended with file names here? Since processes has crashed, I have no way of confirming but I assume that 150442 is the PID

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
whoami
  • 1,689
  • 3
  • 22
  • 45
  • Maybe you can shed some light on the answer by EdChum. Would you mind opening the "041763" dump and the "106442" dump in WinDbg and tell us the outputs of `.time`? – Thomas Weller May 11 '16 at 17:13
  • unfortunately i don't have dump files any more. I was getting too many dumps to look at with many with duplicates. I had to cleanup my computer to make rooms for new dump files. I will look at the newer files and see if this makes sense. – whoami May 15 '16 at 16:51

2 Answers2

3

From the docs:

If you omit the dump file name, it defaults to <processname>_<datetime>.dmp.

So for the example:

MyProcess.exe_150422_041763.dmp

this is:

process name: MyProcess.exe

date: 2015 April 22

time: 041763

Not sure if this represents 4 hours 17 minutes and 63 seconds????

EdChum
  • 376,765
  • 198
  • 813
  • 562
  • Perhaps it's a dump from the future, 15.04.2022, Earth was hit by an asteroid and moved to a different orbit so there are 4 leap seconds per day. – Thomas Weller May 11 '16 at 17:16
  • @ThomasWeller maybe it's accelerating your pc to 29th July 2016 so you then have to pay for Win 10 upgrade sooner – EdChum May 11 '16 at 17:19
1

150442 cannot be the PID, because the PID is only 2 bytes. Even in decimal, this is not possible. It is to check: just open the dump in WinDbg and look at the PID using |.

The book "Windows SysInternals Administrator's Reference" (my version is 2012-10-19) describes the file name on page 230 like this:

The format for the file name is basename_yyMMdd_HHmmss.dmp.

(emphasis as in the book)

and later on the same page

Note that the format of the file name is fixed ans is independent of regional settings.

This cannot match your file names (63 seconds or 64 minutes), so depending on the version of ProcDump you're using, you should

a) report a bug, if it's the current version

b) upgrade to a newer version

Another, maybe unlikely case is that the file name was passed like this as an argument to ProcDump. Since ProcDump writes the command line arguments as a comment into the dump file, just open the dump in WinDbg and read the comment. It looks similar to this:

Comment: '
*** procdump.exe  -e 1 -f "" -ma -x test.dmp Debug\SimpleCppCrash.exe
*** Unhandled exception: E06D7363.?AVexception@std@@'
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222