Crash Dump Analysis

Dumping processes without breaking them

2009 (0x7D9) - The Year of Debugging

You can do it on any Windows system without installing any additional tools like Userdump or WinDbg. And your process won’t be interrupted while the dump is being saved and will continue to work. Use the following command:

ntsd -pvr -p 'PID' -c ".dump /ma /u process.dmp; q"

PID is a decimal process ID you can get from Task Manager, for example.

Note: on x64 system to dump a 32-bit process (shown as *32 in Task Manager) you need to use NTSD from \Windows\SysWOW64 folder.

- Dmitry Vostokov -

Announcements

New Books:

DLL List Landscape: The Art from Computer Memory Space

Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov

WinDbg: A Reference Poster and Learning Cards

Memory Dump Analysis Anthology, Volume 2

Also available:

Memory Dump Analysis Anthology, Volume 1

New Children's Book:

Baby Turing

This entry was posted on Saturday, October 28th, 2006 at 12:34 pm and is filed under Crash Dump Analysis, Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Dumping processes without breaking them”

Chris Says:
May 25th, 2007 at 4:45 pm
recieve an error that switches are invalid and don’t see switches on man page.
Dmitry Vostokov Says:
May 26th, 2007 at 8:35 am
This is because I forgot to mention that it will work only in Windows 2003.
On Windows 2000 and XP there is an older version of NTSD.

Thanks,
Dmitry

Dumping processes without breaking them

2 Responses to “Dumping processes without breaking them”

Leave a Reply