Defrag Tools #178 – Sysinternals ProcDump v9.0 | Defrag Tools

This post has been republished via RSS; it originally appeared at: Channel 9.

In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0

Multiple Dumps per trigger in multiple Dump Sizes:

  • -mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
  • -ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory
  • -mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
  • -mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
  • -mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size

Kernel Dump Support:

Complete Thread Stack – Kernel & User

  • Open the User and Kernel Dumps in separate debuggers
  • Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
  • Awesome tool for hang debugging!

Debugging the Kernel Dump

  • Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
  • Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
  • View the Kernel Call Stack for each Thread in the Process:

!process -1 17

Debugging the User Dump

  • View the User Call Stack for each Thread in the Process (e.g.):

~*k
!pde.deep

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.