userdump.exe on x64
2009 (0x7D9) - The Year of Debugging
If you install the latest Microsoft user mode process dumper on x64 Windows you would see both x86 and x64 folders.
Advice: do not dump 32-bit applications and services (shown as *32 in Task Manager) using userdump.exe from x64 folder: use userdump.exe from x86 folder. 32-bit application runs in WOW64 emulation layer on x64 Windows and that emulation layer is itself native 64-bit process so x64 userdump.exe saves that emulation layer not your original 32-bit application. If you open that dump in WinDbg you would see WOW64 thread stacks not thread stacks from your original 32-bit application.
In summary, on x64 Windows
to save a dump of 64-bit application use:
- x64\userdump.exe
- \Windows\System32\ntsd.exe
- 64-bit version of WinDbg.exe
to save a dump of 32-bit application use:
- x86\userdump.exe
- \Windows\SysWOW64\ntsd.exe
- 32-bit WinDbg.exe
- Dmitry Vostokov -
_1125.png)
New Books:
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Also available:
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
