How to create dumps of crashed/stuck process using ProcDump

Introduction

ProcDump (procdump.exe), a Windows Sysinternals tool. It allows you to create dumps of the processes in any scenario that may arise while troubleshooting issues with Acronis products.

If an application crashes in Windows 2000, Windows XP or Windows Server 2003 you can create Dr. Watson Crash Dump instead.

(!) When Procdump captures the dump file, it does not kill the running process.

Solution

To create a dump with ProcDump, do the following:

1. Download ProcDump from Windows Sysinternals site;
2. Create a folder where dumps will be stored (e.g. C:\Dumps\);
3. Unzip the archive and put the procdump.exe in to the created directory;
4. Open Windows command-line: Hit Start -> Run and type in cmd. We recommend running cmd with administrative privileges (right-click -> run as administrator), otherwise, the utility might not find the required process;
5. In CMD, switch to the newly created folder using the cd command:

   cd <path_to_folder> 

   For example: cd C:\Dumps

6. Depending on the nature of the issue (immediate process crash, hanging process, lock-up etc.) choose what options are to be used with ProcDump. See the most common examples below:

   A. Situations when processes are crashing (e.g. right upon starting, or they crash randomly) can be universally handled by the following command:

   procdump -e -ma -w <process_name>

   E.g. if you have service_process.exe crashing, the command will look like:

   procdump -e -ma -w service_process.exe

   => this will execute ProcDump to monitor for the process to start (if it's not running yet) and create a full process memory dump as soon as it encounters an unhandled exception and crashes.

   In case you need to capture memory dumps of more than one process, or you don't know what process is going to crash (e.g. when provided with custom libraries), use the following command - it will capture all memory dumps for any crash that occurs:

   procdump -ma -i C:\dumps

   B. If you need to create a dump file of the running process in its current state (e.g. if there is a suspicion the process hangs or it is necessary to understand why the service uses a lot of resources, etc.), use the following command:

   procdump -ma -s 5 -n 3  <process_name> 

   (this command will write 3 mini dumps 5 seconds apart; change the numbers if needed)

   or using PID (useful if multiple processes with the same name are running):

   procdump -ma <process_PID> (where process_PID is the process identifier)

   E.g. in case mms.exe seems to be hanging, the following command can be used:

   procdump -ma -s 5 - n 3 mms.exe

   or

   procdump -ma 3255 (if 3255 is the process identifier)

   (!) The full list of the parameters can be found on the ProcDump download page or by issuing command procdump /? ;

   (!) If you get a message Multiple processes match the specified name, use Just-in-time debugging

7. Once the necessary dumps are created, you can locate them in the same folder where ProcDump resides (e.g. C:\Dumps\);
8. Compress the process dump into a .zip file;
9. It is recommended to collect a fresh output of AcronisInfo Utility;
10. Send the dump file (with the system report or Acronis info output) to Acronis Support via FTP: see Uploading Files to Acronis FTP Server. A unique FTP link tied to your case can be provided by the Support Engineer assigned to your case.

How to collect dump of a process with high memory usage

Procdump can be used to watch for the process exceeding a memory consumption threshold. The consumption threshold applies to the specific process being monitored, not systemwide.

-m parameter identifies the memory commit threshold in MB at which to create a dump. 

-w flag tells procdump to wait for a process of that name to come into existence.

E.g. the following command:

      procdump -ma -m 20480 -w service_process

will monitor in the background for service_process to come to life, watch its memory consumption, and create a dump when the  virtual memory size of the process crosses approximately 20GBs.

You can also set up Just-in-time debugging (AeDebug Windows option) to collect crash dump automatically in case of a process crash. For example, if previous ways did not work. Once configured, the system will invoke procdump automatically, without any user interaction, whenever an application crash event occurs and the dump file will be written automatically. Also, the system can be rebooted any amount of times and there will be no need for any extra action after each reboot to resume monitoring for crashes.

How to set up Just-in-time debugging: click to expand

1) Download ProcDump from Windows Sysinternals site. Select a folder to put procdump.exe in, e.g. C:\procdump. 

You should choose a folder where procdump.exe can be kept until the support ticket is fully investigated, resolved and solution is created and verified. The path to procdump need to remain unchanged because of the way dumps will be collected, described further below.

2) Run "cmd" as administrator (Press Windows key to open the start menu. Type in cmd to search for Command Prompt. Press Ctrl+Shift+Enter to launch Command Prompt as administrator)

3) Change current directory to the folder with procdump.exe. In our example it would be:

cd C:\procdump 

4) Register procdump as the AeDebug postmortem debugger:

procdump.exe -accepteula -ma -i 

This will tell the system that whenever any application crashes, not only Acronis, Windows system will launch procdump automatically and save a memory dump of the crashed process into the folder with procdump.exe. In other words, procdump will be launched only when an application crash event occurs, it does not have to be running all the time.

5) The text output of the previous command should confirm that procdump was registered successfully:

ProcDump is now set as the Just-in-time (AeDebug) debugger.

If there is an error or warning, please reboot the computer and repeat the procedure starting with step 2)

6) Wait until the issue with Acronis application crash reproduces

7) Check the folder where ProcDump is stored (C:\procdump in this example) for files with .dmp file name extension.

If they are present, upload them to Acronis FTP server as instructed by Support Engineer

If there are no .dmp files, it means either procdump was not registered properly, or something prevented it from generating crash memory dump files. Try disabling antivirus and repeat the procedure starting with step 2)

8) After Acronis finishes investigation, fixes the issue and the fix is verified, undo the changes to the system settings of handling application crashes:

• Run "cmd" as administrator (Press Windows key to open the start menu. Type in cmd to search for Command Prompt. Press Ctrl+Shift+Enter to launch Command Prompt as administrator)

• Change current directory to the folder with procdump.exe. In our example it would be: cd C:\procdump 

• Run the following command to stop Just-in-time debugger mode: procdump.exe -u

More information

To collect dump files of multiple processes with a given name:

1. Navigate to the directory where procdump.exe is located.
2. Execute:
   for /f "tokens=2 delims=," %F in ('tasklist /nh /fi "imagename eq <process>.exe" /fo csv') do procdump -ma %~F SP_%~F.dmp
   where <process> is the name of the process(es) you are collecting dumps of, for example service_process.exe

   Or create a batch file with this command:
   for /f "tokens=2 delims=," %%F in ('tasklist /nh /fi "imagename eq <process>.exe" /fo csv') do procdump -ma %%~F SP_%%~F.dmp
   where <process> is the name of the process(es) you are collecting dumps of, for example service_process.exe

Please also check the Process Explorer tool which can be useful for dumps creation:

http://technet.microsoft.com/en-en/sysinternals/bb896653.aspx

This tool detects which dump (32/64 Bit) should be created automatically.

See also:

• Creating Dumps with Windows Error Reporting
• Creating Dr. Watson Crash Dumps
• Creating a Userdump