« 10,000 Visit Mark
Object-Oriented Debugging and Troubleshooting »

Crash Dump Analysis Patterns (Part 45)

The absence of crash dumps when we expect them can be considered as a pattern on its own and I call it No Process Dumps. This can happen due to variety of reasons and troubleshooting should be based on the distinction between crashes and hangs. We have 3 combinations here:

  1. A process is visible in Task Manager and is functioning normally

  2. A process is visible in Task Manager and has stopped functioning normally

  3. A process is not visible in Task Manager

If a process is visible in task list and is functioning normally then the following reasons should be considered:

  • - Exceptions haven’t happened yet due to different code execution paths or the time has not come yet and we need to wait more

  • - Exceptions haven’t happened yet due to a different memory layout. This can be the instance of Changed Environment pattern.

If a process is visible in Task Manager and has stopped functioning normally then it might be hanging and waiting for some input. In such cases it is better to get  process dumps proactively

If a process is not visible in Task Manager then the following reasons should be considered:

  • - Debugger value for AeDebug key is invalid, missing or points to a wrong path or a command line has wrong arguments. For examples see Custom Postmortem Debuggers on Vista or NTSD on x64 Windows 2003.

  • - Something is wrong with exception handling mechanism or WER settings. Use Process Monitor to see what processes are launched and modules are loaded when an exception happens. Check WER settings in Control panel.

  • - Try LocalDumps registry key for Vista SP1 and Windows Server 2008 (this one I haven’t tried yet)

  • - Use live debugging techniques like attaching to a process or running a process under a debugger to monitor exceptions and saving first chance exception crash dumps.

This is very important pattern for technical support environments that rely on post-mortem analysis and I’m going to revisit it later to add more information and recommendations if necessary. 

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Wednesday, January 30th, 2008 at 3:25 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Crash Dumps for Dummies, Debugging, Vista, Windows Server 2008. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Crash Dump Analysis Patterns (Part 45)”

  1. Crash Dump Analysis » Blog Archive » Structural Memory Patterns (Part 1) Says:
    September 24th, 2010 at 10:55 am

    […] No Process Dumps […]

  2. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 77) Says:
    September 29th, 2010 at 10:59 am

    […] Experts Magazine Online Today we introduce an icon for No Process Dumps […]

  3. Dmitry Vostokov Says:
    January 3rd, 2020 at 4:55 pm

    LocalDumps registry key may be removed after major Windows 10 updates/releases.

Leave a Reply

You must be logged in to post a comment.