- Put the Dump_File_Collection.zip file to reproducible computer's local disk.
- Uncompress the zip file (Unzip password is "trend").
- Follow the "readme.txt" to get the crash dump.
- Remove the added keys in the reg file to disable crash dump collection.
- Download ProcDump.
- Uncompress it then open a command prompt and navigate to the location of the procdump files.
- Run the following commands to get application hang dump:
- X86 platform: procdump.exe <parameters>
- X64 platform: procdump64.exe <parameters>
For parameter lists and description, refer to the Microsoft ProcDump page.Examples:
- Write a full dump of a process with PID '4572': C:\>procdump -ma 4572
- Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds: C:\>procdump -c 20 -s 5 -n 3 -ma 4572
- The dump file will be created on the same location of the procdump files.
- Compressed the file then send it to Trend Micro Technical Support.
- Download Process Explorer.
- Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
- Look for the affected process from the process tree.
- Right-click on the process and choose Create Dump > Create Full Dump...
Click the image to enlarge.
- Select the destination folder on where to save the dump file.
- Compressed the file then send it to Trend Micro Technical Support.
- Run "taskmgr".
- Find out the the process from the task manager's process tree.
- Right-click on the process and choose Create dump file.
- After the process was dumped, a pop-window will show the location of the dump file.
- Collect the file then compressed it.
- Provide the compressed file to Trend Micro Technical Support.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Select Complete memory dump.
- Reproduce the crash issue.
- Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
- Provide the compressed file to Trend Micro Technical Support.
Cannot get "Complete memory dump"
In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.
- In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
- Use following command to make this option visible: (Run as administrator)
C:\> bcdedit /set {current} truncatememory 0x80000000A computer reboot is required. - To revert changes run: (Run as administrator)
C:\> bcdedit /deletevalue truncatememoryA computer reboot is required.
In some cases, MEMORY.DMP file cannot be found in the expected folder.
To avoid this, create the following DWORD registry value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl] "AlwaysKeepMemoryDump"=dword:0000000
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Select Complete memory dump.
- Reproduce the hang issue.
- Trigger a dump file generation via keyboard.
Pay attention to the keyboard connection port: PS/2 or USB.
- Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
- Provide the compressed file to Trend Micro Technical Support.
Cannot get "Complete memory dump"
In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.
- In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
- Use following command to make this option visible: (Run as administrator)
C:\> bcdedit /set {current} truncatememory 0x80000000A computer reboot is required. - To revert changes run: (Run as administrator)
C:\> bcdedit /deletevalue truncatememoryA computer reboot is required.
In some cases, MEMORY.DMP file cannot be found in the expected folder.
To avoid this, create the following DWORD registry value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl] "AlwaysKeepMemoryDump"=dword:0000000