Defrag Tools #178 - Sysinternals ProcDump v9.0

In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0

Multiple Dumps per trigger in multiple Dump Sizes:

• -mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
• -ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory
• -mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
• -mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
• -mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size

Kernel Dump Support:

Complete Thread Stack – Kernel & User

• Open the User and Kernel Dumps in separate debuggers
• Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
• Awesome tool for hang debugging!

Debugging the Kernel Dump

• Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
• Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
• View the Kernel Call Stack for each Thread in the Process:

!process -1 17

Debugging the User Dump

• View the User Call Stack for each Thread in the Process (e.g.):

~*k
!pde.deep