This post has been republished via RSS; it originally appeared at: Channel 9.
In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0
Multiple Dumps per trigger in multiple Dump Sizes:
- -mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
- -ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory
- -mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
- -mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
- -mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size
Kernel Dump Support:
Complete Thread Stack – Kernel & User
- Open the User and Kernel Dumps in separate debuggers
- Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
- Awesome tool for hang debugging!
Debugging the Kernel Dump
- Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
- Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
- View the Kernel Call Stack for each Thread in the Process:
!process -1 17
Debugging the User Dump
- View the User Call Stack for each Thread in the Process (e.g.):
~*k !pde.deep