Extract Log Dumps when System and Applications hangs or crashes

Collecting Log Dumps when System and Applications encounter hang and crash issues

- Updated:
- 17 Dec 2021
- Product/Version:
- Apex Central
- Apex One
- Hosted Mobile Security
- Interscan Messaging Security Virtual Appliance
- Interscan Web Security as a Service - Hybrid
- Interscan Web Security Virtual Appliance
- Network Viruswall
- Policy Manager
- Securecloud On-Premise
- ServerProtect
- Worry-Free Business Security Advanced
- Worry-Free Business Security Services
- Worry-Free Plug-In - Security For MAC
- Worry-Free Remote Manager
- Platform:

EXPAND ALL

Application Crash

Put the Dump_File_Collection.zip file to reproducible computer's local disk.
Uncompress the zip file (Unzip password is "Trend").
Follow the "readme.txt" to get the crash dump.
Remove the added keys in the reg file to disable crash dump collection.

Application Hang

> Method 1: ProcDump

Download ProcDump.
Uncompress it then open a command prompt and navigate to the location of the procdump files.
Run the following commands to get application hang dump:
- X86 platform: procdump.exe <parameters>
- X64 platform: procdump64.exe <parameters>
For parameter lists and description, refer to the Microsoft ProcDump page.

Examples:
- Write a full dump of a process with PID '4572': C:\>procdump -ma 4572
- Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds: C:\>procdump -c 20 -s 5 -n 3 -ma 4572
- Use the process ID (PID), instead of process name to avoid multiple processes with the same names.
- To find the process ID (PID), run a command prompt and enter "tasklist".
^{Click the image to enlarge.}
The dump file will be created on the same location of the procdump files.
Compressed the file then send it to Trend Micro Technical Support.

> Method 2: Process Explorer

Download Process Explorer.
Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
Look for the affected process from the process tree.
Right-click on the process and choose Create Dump > Create Full Dump...

^{Click the image to enlarge.}
Select the destination folder on where to save the dump file.
Compressed the file then send it to Trend Micro Technical Support.

> Method 3: Task Manager

Run "taskmgr".
Find out the the process from the task manager's process tree.
Right-click on the process and choose Create dump file.
After the process was dumped, a pop-window will show the location of the dump file.
Collect the file then compressed it.
Provide the compressed file to Trend Micro Technical Support.

Before collecting NTRTScan.exe process's dump, disable "Real-Time Scan" feature from product management web console for the affected agent first.

System Crash

Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

Select Complete memory dump.
Reproduce the crash issue.
Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
Provide the compressed file to Trend Micro Technical Support.

Cannot get "Complete memory dump"

In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
Use following command to make this option visible: (Run as administrator)
C:\> bcdedit /set {current} truncatememory 0x80000000

A computer reboot is required.
To revert changes run: (Run as administrator)
C:\> bcdedit /deletevalue truncatememory

A computer reboot is required.

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
	"AlwaysKeepMemoryDump"=dword:0000000

A computer reboot is required.

System Hang