Crash Dump Analysis Patterns (Part 45)
The absence of crash dumps when we expect them can be considered as a pattern on its own and I call it No Process Dumps. This can happen due to variety of reasons and troubleshooting should be based on the distinction between crashes and hangs. We have 3 combinations here:
-
A process is visible in Task Manager and is functioning normally
-
A process is visible in Task Manager and has stopped functioning normally
-
A process is not visible in Task Manager
If a process is visible in task list and is functioning normally then the following reasons should be considered:
-
- Exceptions haven’t happened yet due to different code execution paths or the time has not come yet and we need to wait more
-
- Exceptions haven’t happened yet due to a different memory layout. This can be the instance of Changed Environment pattern.
If a process is visible in Task Manager and has stopped functioning normally then it might be hanging and waiting for some input. In such cases it is better to get process dumps proactively.
If a process is not visible in Task Manager then the following reasons should be considered:
-
- Debugger value for AeDebug key is invalid, missing or points to a wrong path or a command line has wrong arguments. For examples see Custom Postmortem Debuggers on Vista or NTSD on x64 Windows 2003.
-
- Something is wrong with exception handling mechanism or WER settings. Use Process Monitor to see what processes are launched and modules are loaded when an exception happens. Check WER settings in Control panel.
-
- Try LocalDumps registry key for Vista SP1 and Windows Server 2008 (this one I haven’t tried yet)
-
- Use live debugging techniques like attaching to a process or running a process under a debugger to monitor exceptions and saving first chance exception crash dumps.
This is very important pattern for technical support environments that rely on post-mortem analysis and I’m going to revisit it later to add more information and recommendations if necessary.
- Dmitry Vostokov @ DumpAnalysis.org -
September 24th, 2010 at 10:55 am
[…] No Process Dumps […]
September 29th, 2010 at 10:59 am
[…] Experts Magazine Online Today we introduce an icon for No Process Dumps […]
January 3rd, 2020 at 4:55 pm
LocalDumps registry key may be removed after major Windows 10 updates/releases.