This document discusses process dump files, which provide a snapshot of a running process that can be analyzed to diagnose problems. It explains that dump files contain valuable diagnostic information but are static and cannot be directly debugged. Several tools are described for creating dump files, including Task Manager, ntsd.exe, ADPlus, and ProcDump. Visual Studio and WinDbg are both capable of analyzing dump files, with WinDbg generally being better suited for the task. Links to additional debugging resources are also provided.

1. Noam Sheffer
Senior Architect and Bugs Hunter
http://blogs.microsoft.co.il/blogs/noams
@NoamSheffer

2. The First Computer Bug

3.  When ever we have a live system that we :
 Have a limited access to the system
 Don’t want or can’t install Visual Studio on it
 Can’t Stop the service and attach a debugger to it
 Log files are inefficient or non exists (90% of the cases)
 Still Need to “Fix” the problem

5.  A dump file is a snapshot of a running process
 Kernel dumps are snapshots of the entire system, but
we will not discuss them here
 Dump files are useful for post-mortem
diagnostics and for production debugging
 A dump can contain lots of information, A full
process dump takes at least as much as the
process’ virtual size.
 It’s possible to take a smaller dump, e.g. only
thread stacks and loaded modules

6.  Dump files are a static snapshot
 You can’t debug a dump, just analyze it
 Sometimes a repro is required (or more than
one repro)
 Sometimes several dumps must be compared

7.  On Vista and higher: Task Manager, right-click
and choose “Create Dump File”

8.  Before Vista, use ntsd.exe
 ntsd -pn app.exe -c ".dump /ma /u C:app.dmp; qd"

9.  Use ADPlus from Debugging Tools for
Windows
 Can do crash / hang dumps
 Example command lines:
adplus -crash -o C:dumps -sc
C:myappmyapp.exe
adplus -hang -o C:dumps -p 1234
 Can be configured further:
 Dump on a specific exception
 Perform additional debugger actions
 …see documentation (Debugging Tools for
Windows)

10.  Sysinternals utility for creating crash / hang
dumps
 Can use process reflection (Windows 7) to
minimize process suspension time
 Examples:
Procdump -h app.exe hang.dmp
Procdump -e app.exe crash.dmp
Procdump -c 90 app.exe excessive_cpu.dmp

11.  Visual Studio can open dump files
 But it’s not the perfect analysis tool
 Visual Studio 2008 can handle native dumps
very well
 Can’t handle managed dumps AT ALL
 Visual Studio 2010 can handle both native and
managed dumps
 For managed dumps, CLR 4.0 is required

12.  WinDbg is usually much better at dump
analysis
 Not that good for managed source code reading, but
everything else is much easier 
 Try !analyze -v for native dumps
 Try opening a kernel (system) dump

15. Links
 http://blogs.microsoft.co.il/blogs/noams
 http://blogs.microsoft.co.il/blogs/sasha
(all your base are belong to us)
 http://blogs.msdn.com/b/ntdebugging/
(ntdebugging)
 http://blogs.technet.com/markrussinovich/
(Mark’s blog)