Defrag Tools #178 - Sysinternals ProcDump v9.0

Sign in to queue

Description

In this episode of Defrag Tools, Andrew Richards and Chad Beeder talk about the new features of Sysinternals ProcDump v9.0

Multiple Dumps per trigger in multiple Dump Sizes:

  • -mm Write a 'Mini' dump file. (default) Includes the Process, Thread, Module, Handle and Address Space info
  • -ma Write a 'Full' dump file. Includes All the Image, Mapped and Private memory
  • -mp Write a 'MiniPlus' dump file. Includes all Private memory and all Read/Write Image or Mapped memory. To minimize size, the largest Private memory area over 512MB is excluded. A memory area is defined as the sum of same-sized memory allocations. The dump is as detailed as a Full dump but 10%-75% the size. Note: CLR processes are dumped as Full (-ma) due to debugging limitations
  • -mc Write a 'Custom' dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex). -md Write a 'Callback' dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL
  • -mk Also write a 'Kernel' dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size

Kernel Dump Support:

Complete Thread Stack – Kernel & User

  • Open the User and Kernel Dumps in separate debuggers
  • Match the TIDs from the User Dump, with the TIDs from the Kernel Dump, to get the entire stack
  • Awesome tool for hang debugging!

Debugging the Kernel Dump

  • Dump includes the kernel stack (memory) of every thread in the process (Running, Ready or Idle)
  • Dump has the Process PID and each Thread TID. There is no PEB or TEB information.
  • View the Kernel Call Stack for each Thread in the Process:

!process -1 17

Debugging the User Dump

  • View the User Call Stack for each Thread in the Process (e.g.):

~*k
!pde.deep

Embed

Download

The Discussion

  • User profile image
    Magic​Andre1981

    nice feature with the kernel and user mode dump, but the UX with 2 Windbg instances is not so great. it would be nice if windbg detects both dumps and if user shows stack in UM dump, windbg gets the kernel stack parts on its own from the corresponding KM dump

  • User profile image
    klaatu

    Disappointing video. You need:

    - bigger font on the PC
    - make it bold! (Even I can do that)
    - don't talk so fast (you're as bad as Sean Spicer)
    - don't type so fast
    - rehearse your presentation several times

    Please do better next time.

  • User profile image
    Thomas Weller

    Thanks for the new features. Please try to keep compatibility of the command line parameters. We never give Procdump to customers on its own, but always give a batch file with it. Changes in command line parameters requires a change of a batch file.

  • User profile image
    Naor Christensen

    Great episode and great show. thank you!
    is there any place where one can get documentation about the PDE Debugger Extension that Andrew has made? in the One drive i can only find the dll file. there were a few episodes where some examples on how to use it where shown, but other than that?

  • User profile image
    Magic​Andre1981

    @Naor Christensen: run !pde.help to get the list of commands

  • User profile image
    Naor Christensen

    Gr8! thx

Add Your 2 Cents