Defrag Tools: #10 - ProcDump - Triggers

Play Defrag Tools: #10 - ProcDump - Triggers
Sign in to queue

Description

In this 3 part episode of Defrag Tools, Andrew Richards and Larry Larsen walk you through Sysinternals ProcDump. ProcDump allows you to capture the memory of a process running on the computer. The dump file can be of varying size and can be taken with varying outage durations. Dumps can be triggered immediately or can be triggered by a variety of events including CPU utilization, Memory utilization, a Performance Counter, a Hung Window and/or Native/Managed exceptions.

Part 1 covers what the tool captures and the outage durations that can be expected.
Part 2 (this week) goes through the wide variety of triggering options; in particular 1st and 2nd chance exceptions.
Part 3 goes through Windows 8 Modern Application support and Process Monitor logging support.

Resources: 
Sysinternals ProcDump

Timeline:
[00:27] - WinDbg -IA - Register File Associations
[00:58] - WinDbg -I - Postmortem Debugger (AeDebug) **
[04:48] - Triggers
[05:13] - Breakpoints (-b)
[06:03] - CPU (-c) and Uniprocessor scale (-u) [Compound Case of the Outlook Hangs]
[11:06] - Count (-n)
[11:42] - Examples (-? -e)
[12:02] - Performance Counters (-p <counter> <value>) *
[13:20] - Hung window (-h)
[13:36] - Wait (-w <process>) and Execute (-x <folder> <process>)
[14:28] - Crashes (e.g. procdump -e -x c:\dumps notepad) ***
[16:45] - Memory Commit (-m <Mb>)
[18:25] - Timed (-n <count> -s <seconds>)
[21:30] - Process Name vs PID
[22:24] - Exceptions; C++ (msc) vs CLR vs OS
[23:35] - Crashes & Recovery - aka 2nd Chance Exceptions (-e)
[28:40] - 1st Chance Exceptions (-e 1)
[31:07] - Exception Filtering (-f <filter>)
[33:30] - Exception Names
[34:50] - System Error Codes and !error
[36:30] - Ignore transistion to .NET 4 managed debugging (-g)
[38:07] - Next time... Windows 8 Modern Applications and Process Monitor Logging

* The Performance Counter (-p) trigger does use the seconds (-s) parameter.
** ProcDump v5.1 (not yet released) adds procdump.exe -i <folder> support to set ProcDump as the postmortem debugger for both x64 and x86 applications (includes a JIT context).
*** If you are using ProcDump v5.0 as the postmortem debugger (doesn't include a JIT context), use these AeDebug settings:
Auto = "1"
Debugger = "C:\my\sysinternals\procdump.exe %ld -ma c:\dumps"

Embed

Download

Download this episode

The Discussion

  • User profile image
    Sarah

    I have w3wp process that crashes from time to time with System.OutOfMemoryException. This is in production web server.
    Can I use procdump -e command?
    Thank you!

  • User profile image
    windev

    Yep, you sure can. You will need to use the PID as there will be more than one w3wp:

    Procdump -ma -e 1 -f outofmemory <pid> c:\dumps

  • User profile image
    Sarah

    Thank you Andrew.

  • User profile image
    Magic​Andre1981
  • User profile image
    Lockman9

    Of course while watching this episode after watching the 2 before I had a system crash about half way thru. Got to about 8 minutes left after system a restart and had a system hang. Acted like the video hung this time.
    Any tips on finding root cause on this one?

  • User profile image
    elhannios

    I know this is old, however, the context fits.

    I've written a test program, that throws an exception. And when I run it with a "procdump -e 1" manually I can see that it throws a exception of the follwing type:
    Exception: C00000FD.STACK_OVERFLOW

    However, with the test program, I won't get a dump file with procdump as the automatic postmortem debugger configured in the registry.

    Does it just trigger on certain Exception types? Can I configure the types? How can I assure/test that procdump is working as AeDebugger?

  • User profile image
    windev
    Stack Overflow is an interesting error type. It is handled in the kernel, rather than user mode -- primarily to block bad code (viruses, etc.) from handling the error, and moving on (i.e. keeping themselves hidden).

    In this situation, WER does not give the AeDebugger the chance to be involved -- instead it takes the dump directly.
  • User profile image
    elhannios

    Thank you. Set me onto the right path.

Add Your 2 Cents