Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Collecting Log Dumps when System and Applications encounter hang and crash issues

    • Updated:
    • 14 May 2020
    • Product/Version:
    • Apex Central All
    • Apex One All
    • Apex One as a Service
    • Cloud App Security
    • Control Manager All
    • Core Protection Module - ESP All
    • Damage Cleanup Services
    • Data Loss Prevention Endpoint All
    • Deep Discovery Advisor All
    • Deep Discovery Analyzer All
    • Deep Discovery Director All
    • Deep Discovery Email Inspector All
    • Deep Discovery Inspector All
    • Deep Discovery Web Inspector All
    • Deep Security All
    • Email Encryption Gateway All
    • Email Encryption Hosted All
    • Email Reputation Services All
    • Encryption for Email All
    • Endpoint Application Control All
    • Endpoint Encryption All
    • Endpoint Security Platform All
    • Hosted Email Security All
    • Hosted Mobile Security All
    • Instant Messaging Security All
    • Interscan Messaging Security Appliance All
    • InterScan Messaging Security Suite All
    • InterScan Messaging Security Suite All
    • Interscan Messaging Security Virtual Appliance All
    • Interscan Messaging Security Virtual Appliance All
    • Interscan Viruswall Standard Edition All
    • Interscan Web Security as a Service - Hybrid
    • Interscan Web Security Virtual Appliance All
    • Intrusion Defense Firewall
    • Licensing Management Platform All
    • Mobile Security For Enterprise All
    • Network Viruswall All
    • OfficeScan XG
    • Policy Manager All
    • Portable Security All
    • Portalprotect All
    • Remote Manager All
    • Safe Lock All
    • Safesync For Enterprise All
    • ScanMail for Exchange All
    • Scanmail for IBM Domino All
    • Securecloud As A Service All
    • Securecloud On-Premise All
    • Security for Mac All
    • Security For NAS All
    • ServerProtect All
    • Smart Protection Complete
    • Smart Protection For Endpoints All
    • Smart Protection Server All
    • Threat Discovery Appliance All
    • Threat Intelligence Manager All
    • Threat Investigation Center All
    • Threat Mitigator All
    • Trend Micro Endpoint Sensor All
    • Trend Micro Web Security All
    • Vulnerability Protection All
    • Worry-Free Business Security Advanced All
    • Worry-Free Business Security Services All
    • Worry-Free Business Security Standard All
    • Worry-Free Plug-In - Security For MAC All
    • Worry-Free Remote Manager All
    • Platform:
    • Windows 7
    • Windows 8.1
    • Windows 10
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
Summary

In some cases, we need dumps to know the cause of performance issues hang and crash issues.

This article will provide the general steps on collecting log dumps for different scenarios.

Details
Public

  1. Enable crash dump collection by running the following prompt:

    C:\WINDOWS\system32\drwtsn32.exe -i

  2. Run the following prompt to open the "drwtsn32" configuration UI:

    C:\WINDOWS\system32\drwtsn32.exe

  3. Set crash dump to "Full" and select the dump file saving location:

    Crash Dump Type

  4. Trigger the application crash.
  5. Get the dump file: "%userprofile%\Local Settings\Application Data\Microsoft\Dr Watson\user.dmp" (default).

  1. Put the Dump_File_Collection.zip file to reproducible computer's local disk.

  2. Uncompress the zip file (Unzip password is "Trend").
  3. Follow the "readme.txt" to get the crash dump.
  4. Remove the added keys in the reg file to disable crash dump collection.

Method 1: Procdump

  1. Download Prodump.

  2. Uncompress it, and run following prompt to get application hang dump:

    • X86 platform:

      procdump.exe <parameters>

    • X64 platform:

      procdump64.exe <parameters>

    Examples:

    • Write a full dump of a process with PID '4572':

      C:\>procdump -ma 4572

    • Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds:

      C:\>procdump -c 20 -s 5 -n 3 -ma 4572

 
  • Use process ID (PID) here, instead of process name to avoid multiple processes with the same names. [23:08:46] Multiple processes match the specified name.
  • For more detailed information, refer to the Microsoft ProcDump page.
  • Find the process ID (PID) from prompt "tasklist".
 

Method 2: Process Explorer

  1. Download Process Explorer.
  2. Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
  3. Find out the the process from the process tree.

  4. Right click on the process, and choose Create Dump > Create Full Dump...

    Process Explorer

 
Before collecting NTRTScan.exe process's dump, disable "Real-Time Scan" feature for this agent first. But if the hang issue is caused by "Real-Time Scan" feature, it is hard to get NTRTScan.exe process's dump.
 

Method 1: Procdump

  1. Download Prodump.

  2. Uncompress it, and run following prompt to get application hang dump:

    • X86 platform:

      procdump.exe <parameters>

    • X64 platform:

      procdump64.exe <parameters>

    Examples:

    • Write a full dump of a process with PID '4572':

      C:\>procdump -ma 4572

    • Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds:

      C:\>procdump -c 20 -s 5 -n 3 -ma 4572

 

  • Use the process ID (PID) here, instead of process name to avoid multiple processes with the same names.

    [23:08:46] Multiple processes match the specified name.

  • For more detailed information, refer to the Microsoft ProcDump page.

    Find the process ID (PID) from prompt "tasklist".

 

Method 2: Process Explorer

  1. Download Process Explorer.
  2. Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
  3. Find out the the process from the process tree.

  4. Right-click on the process and choose Create Dump > Create Full Dump...

    Process Explorer

Method 3: Task Manager

  1. Run "taskmgr".
  2. Find out the the process from the task manager's process tree.
  3. Right-click on the process and choose Create dump file.
 

Before collecting NTRTScan.exe process's dump, disable "Real-Time Scan" feature from OSCE web management console for this agent first.

disable Real-Time Scan

 

  1. Select a dump category: Normally, we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.
  3. Get the dump file from reproduced computer, and compress it.
  4. Provide the compressed file to Trend Micro.

  1. Select a dump category: Normally we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.
  3. Get the dump file from reproduced computer, and compress it.
  4. Provide the compressed file to Trend Micro.
 

Cannot get "Complete memory dump"

In some environments, the computer's memory size is greater than 2 GB (not including 2 GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).

  2. Use following command to make this option visible: (Run as administrator)

    C:\> bcdedit /set {current} truncatememory 0x80000000

     
    A computer reboot is required.
     

  3. To revert changes run: (Run as administrator)

    C:\> bcdedit /deletevalue truncatememory

     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:0000000

 
A computer reboot is required.
 
 

  1. Select a dump category: Normally, we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.
  3. Get the dump file from reproduced computer, and compress it.
  4. Provide the compressed file to Trend Micro.

  1. Select a dump category: Normally we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.

  3. Trigger a dump file generation via keyboard.

    Refer to this Microsoft article: Forcing a System Crash from the Keyboard.

     
    Please pay attention to the keyboard connection port: PS/2 or USB.
     
  4. Get the dump file from reproduced computer, and compress it.
  5. Provide the compressed file to Trend Micro.

  1. Select a dump category: Normally, we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.

  3. Trigger a dump file generation via keyboard.

    Refer to this Microsoft article: Forcing a System Crash from the Keyboard.

     
    Please pay attention to the keyboard connection port: PS/2 or USB.
     
  4. Get the dump file from reproduced computer, and compress it.
  5. Provide the compressed file to Trend Micro.
 

Cannot get "Complete memory dump"

In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).

  2. Use following command to make this option visible: (Run as administrator)

    C:\> bcdedit /set {current} truncatememory 0x80000000

     
    A computer reboot is required.
     

  3. To revert changes run: (Run as administrator)

    C:\> bcdedit /deletevalue truncatememory

     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:0000000

 
A computer reboot is required.
 
 

  1. Select a dump category: Normally, we choose Complete memory dump.

    Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  2. Reproduce the crash issue.

  3. Trigger a dump file generation via keyboard.

    Refer to this Microsoft article: Forcing a System Crash from the Keyboard.

     
    Please pay attention to the keyboard connection port: PS/2 or USB.
     
  4. Get the dump file from reproduced computer, and compress it.
  5. Provide the compressed file to Trend Micro.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000250825
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.