Views:
  1. Put the Dump_File_Collection.zip file to reproducible computer's local disk.
  2. Uncompress the zip file (Unzip password is "trend").
  3. Follow the "readme.txt" to get the crash dump.
  4. Remove the added keys in the reg file to disable crash dump collection.
  1. Download ProcDump.
  2. Uncompress it then open a command prompt and navigate to the location of the procdump files.
  3. Run the following commands to get application hang dump:
    • X86 platform: procdump.exe <parameters>
    • X64 platform: procdump64.exe <parameters>
     
    For parameter lists and description, refer to the Microsoft ProcDump page.
     

    Examples:

    • Write a full dump of a process with PID '4572': C:\>procdump -ma 4572
    • Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds: C:\>procdump -c 20 -s 5 -n 3 -ma 4572
     
    • Use the process ID (PID), instead of process name to avoid multiple processes with the same names.
    • To find the process ID (PID), run a command prompt and enter "tasklist".

    tasklist

    Click the image to enlarge.

     
  4. The dump file will be created on the same location of the procdump files.
  5. Compressed the file then send it to Trend Micro Technical Support.
  1. Download Process Explorer.
  2. Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
  3. Look for the affected process from the process tree.
  4. Right-click on the process and choose Create Dump > Create Full Dump...

    Process Explorer

    Click the image to enlarge.

  5. Select the destination folder on where to save the dump file.
  6. Compressed the file then send it to Trend Micro Technical Support.
  1. Run "taskmgr".
  2. Find out the the process from the task manager's process tree.
  3. Right-click on the process and choose Create dump file.
  4. After the process was dumped, a pop-window will show the location of the dump file.
  5. Collect the file then compressed it.
  6. Provide the compressed file to Trend Micro Technical Support.
 
Before collecting NTRTScan.exe process's dump, disable "Real-Time Scan" feature from product management web console for the affected agent first.
 

Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  1. Select Complete memory dump.
  2. Reproduce the crash issue.
  3. Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
  4. Provide the compressed file to Trend Micro Technical Support.
 

Cannot get "Complete memory dump"

    In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
  2. Use following command to make this option visible: (Run as administrator)
    C:\> bcdedit /set {current} truncatememory 0x80000000
     
    A computer reboot is required.
     
  3. To revert changes run: (Run as administrator)
    C:\> bcdedit /deletevalue truncatememory
     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
	"AlwaysKeepMemoryDump"=dword:0000000
	
 
A computer reboot is required.
 
 

Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  1. Select Complete memory dump.
  2. Reproduce the hang issue.
  3. Trigger a dump file generation via keyboard.
     
    Pay attention to the keyboard connection port: PS/2 or USB.
     
  4. Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
  5. Provide the compressed file to Trend Micro Technical Support.
 

Cannot get "Complete memory dump"

In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
  2. Use following command to make this option visible: (Run as administrator)
    C:\> bcdedit /set {current} truncatememory 0x80000000
     
    A computer reboot is required.
     
  3. To revert changes run: (Run as administrator)
    C:\> bcdedit /deletevalue truncatememory
     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
	"AlwaysKeepMemoryDump"=dword:0000000
	
 
A computer reboot is required.