0

I would like to use ProcDump's ability to create minidumps with a custom MINIDUMP_TYPE via the -mc command-line switch to include memory contents beyond MiniDumpNormal.

Unfortunately neither MiniDumpWithFullMemory, MiniDumpWithIndirectlyReferencedMemory, nor MiniDumpWithPrivateReadWriteMemory | MiniDumpWithPrivateWriteCopyMemory seem to have any effect: A nonempty minidump is created without an error being displayed, but a lot smaller than expected and querying the minidump via WinDbg's .dumpdebug functionality does not list any of the aforementioned flags even if explicitly included in the minidump type. It seems as if none of the flags mentioned above have an impact on ProcDump's behavior.

The process in question is a 32-bit process running under 64-bit Windows 10, build 2004. I have tried both procdump.exe and procdump64.exe version 9.0, albeit without the -64 command-line switch since I do not want to include SysWOW64 overhead. I have also tried copying 32-bit and 64-bit versions of dbghelp.dll provided by the most recent Debugging Tools for Windows SDK into the corresponding folders in which procdump.exe and procdump64.exe are located. Finally, I have made sure to pass the minidump type as hexadecimal numbers and any other flags that I have tried seem to be recognized without an issue and are being listed when inspecting the minidump in WinDbg afterwards.

As an example, the invocation procdump.exe -mc 51B25 <process> should create a dump with

0x51B25 = 334629 = (MiniDumpWithDataSegs 
 | MiniDumpWithProcessThreadData
 | MiniDumpWithHandleData
 | MiniDumpWithPrivateReadWriteMemory
 | MiniDumpWithUnloadedModules
 | MiniDumpWithFullMemoryInfo
 | MiniDumpWithThreadInfo
 | MiniDumpWithTokenInformation
 | MiniDumpWithPrivateWriteCopyMemory)

When inspecting the dump in WinDbg, neither MiniDumpWithPrivateReadWriteMemory nor MiniDumpWithPrivateWriteCopyMemory show up in the .dumpdebug information with corresponding memory regions being unavailable. Note that when I create the dump from within the application using MiniDumpWriteDump for demonstration purposes, the flags do show up when using .dumpdebug and the resulting minidump will be significantly larger (under otherwise comparable conditions).

Can someone confirm that ProcDump is indeed ignoring memory-related flags or explain to me what I am doing wrong?

(Writing a MiniPlus dump using the -mp switch does work but does not necessarily include the memory regions of interest.)

da22e
  • 38
  • 4
  • 1
    does -ma include the areas desired? You should generally use the 32-bit debugger to dump a 32-bit process and x64 debugger to dump x64 process. In general we use -ma to capture a full dump that includes everything. – kvr Jul 28 '20 at 01:55
  • Regarding using hex for the flags, are you using a single hex value? Or you trying to OR them at the command line? Perhaps try a single combined hex value if you haven't tried it. – kvr Jul 28 '20 at 02:01
  • Regarding the hexadecimal values used, @kvr: I just added an example where you can see how I specified the hexadecimal value when invoking procdump.exe. Regarding the `-ma` switch, for unknown reasons I cannot record full memory dumps, neither with Visual Studio, nor the Task Manager, nor ProcDump: Windows will simply freeze if I attempt to do so. (This seems to be another, unrelated problem, however.) – da22e Jul 28 '20 at 16:29
  • The reason why I tried procdump64.exe was that some resources seemed to suggest at first glance that it should be used for 64-bit Windows instead without giving any further explanation, for example the whitepaper available at goldstarsoftware.com/papers/…. Since I got no indication of what's wrong when I used procdump.exe, I thought I'd give it a try even if it seemed counter-intuitive. (In the end, dumping the 32-bit application with procdump64.exe did not produce a usable dump, with TEB information not being interpretable by WinDbg (x86).) – da22e Jul 28 '20 at 16:40
  • does [Windows Error Reporting service](https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps) capture the dump? Here you can also set CustomDumpFlags – magicandre1981 Jul 30 '20 at 13:39
  • For my particular use case I need to create a dump when the application becomes unresponsive. According to the documentation WER creates minidumps when a crash occurs. Does it also create minidumps when the application hangs? And if it does create minidumps during software hangs I assume it relies on Windows' mechanism to detect software hangs and won't work for arbitrary hangs? – da22e Aug 01 '20 at 15:57

0 Answers0