userdump.exe on x64
DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based world view.
Twitter @ DumpAnalysis You can now follow portal and blog news at DumpAnalysis on Twitter.
2009 (0x7D9) - The Year of Debugging 2010 (0x7DA) - The Year of Dump Analysis 2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade
If you install the latest Microsoft user mode process dumper on x64 Windows you would see both x86 and x64 folders.
Advice: do not dump 32-bit applications and services (shown as *32 in Task Manager) using userdump.exe from x64 folder: use userdump.exe from x86 folder. 32-bit application runs in WOW64 emulation layer on x64 Windows and that emulation layer is itself native 64-bit process so x64 userdump.exe saves that emulation layer not your original 32-bit application. If you open that dump in WinDbg you would see WOW64 thread stacks not thread stacks from your original 32-bit application.
In summary, on x64 Windows
to save a dump of 64-bit application use:
- x64\userdump.exe
- \Windows\System32\ntsd.exe
- 64-bit version of WinDbg.exe
to save a dump of 32-bit application use:
- x86\userdump.exe
- \Windows\SysWOW64\ntsd.exe
- 32-bit WinDbg.exe
- Dmitry Vostokov -
_1125.png)
Coming Soon:
Crash Dump Analysis for System Administrators
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Also available:
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
