Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Collecting Log Dumps when System and Applications encounter hang and crash issues

    • Updated:
    • 17 Dec 2021
    • Product/Version:
    • Apex Central
    • Apex One
    • Hosted Mobile Security
    • Interscan Messaging Security Virtual Appliance
    • Interscan Web Security as a Service - Hybrid
    • Interscan Web Security Virtual Appliance
    • Network Viruswall
    • Policy Manager
    • Securecloud On-Premise
    • ServerProtect
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Services
    • Worry-Free Plug-In - Security For MAC
    • Worry-Free Remote Manager
    • Platform:
Summary

In some cases, we need dumps to know the cause of performance issues hang and crash issues.

This article will provide the general steps on collecting log dumps for different scenarios.

Details
Public
  1. Put the Dump_File_Collection.zip file to reproducible computer's local disk.
  2. Uncompress the zip file (Unzip password is "Trend").
  3. Follow the "readme.txt" to get the crash dump.
  4. Remove the added keys in the reg file to disable crash dump collection.
  1. Download ProcDump.
  2. Uncompress it then open a command prompt and navigate to the location of the procdump files.
  3. Run the following commands to get application hang dump:
    • X86 platform: procdump.exe <parameters>
    • X64 platform: procdump64.exe <parameters>
     
    For parameter lists and description, refer to the Microsoft ProcDump page.
     

    Examples:

    • Write a full dump of a process with PID '4572': C:\>procdump -ma 4572
    • Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds: C:\>procdump -c 20 -s 5 -n 3 -ma 4572
     
    • Use the process ID (PID), instead of process name to avoid multiple processes with the same names.
    • To find the process ID (PID), run a command prompt and enter "tasklist".

    tasklist

    Click the image to enlarge.

     
  4. The dump file will be created on the same location of the procdump files.
  5. Compressed the file then send it to Trend Micro Technical Support.
  1. Download Process Explorer.
  2. Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
  3. Look for the affected process from the process tree.
  4. Right-click on the process and choose Create Dump > Create Full Dump...

    Process Explorer

    Click the image to enlarge.

  5. Select the destination folder on where to save the dump file.
  6. Compressed the file then send it to Trend Micro Technical Support.
  1. Run "taskmgr".
  2. Find out the the process from the task manager's process tree.
  3. Right-click on the process and choose Create dump file.
  4. After the process was dumped, a pop-window will show the location of the dump file.
  5. Collect the file then compressed it.
  6. Provide the compressed file to Trend Micro Technical Support.
 
Before collecting NTRTScan.exe process's dump, disable "Real-Time Scan" feature from product management web console for the affected agent first.
 

Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  1. Select Complete memory dump.
  2. Reproduce the crash issue.
  3. Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
  4. Provide the compressed file to Trend Micro Technical Support.
 

Cannot get "Complete memory dump"

    In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
  2. Use following command to make this option visible: (Run as administrator)
    C:\> bcdedit /set {current} truncatememory 0x80000000
     
    A computer reboot is required.
     
  3. To revert changes run: (Run as administrator)
    C:\> bcdedit /deletevalue truncatememory
     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
	"AlwaysKeepMemoryDump"=dword:0000000
	
 
A computer reboot is required.
 
 

Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.

  1. Select Complete memory dump.
  2. Reproduce the hang issue.
  3. Trigger a dump file generation via keyboard.
     
    Pay attention to the keyboard connection port: PS/2 or USB.
     
  4. Collect the %SystemRoot%MEMORY.DMP from affected computer then compress it.
  5. Provide the compressed file to Trend Micro Technical Support.
 

Cannot get "Complete memory dump"

In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.

  1. In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
  2. Use following command to make this option visible: (Run as administrator)
    C:\> bcdedit /set {current} truncatememory 0x80000000
     
    A computer reboot is required.
     
  3. To revert changes run: (Run as administrator)
    C:\> bcdedit /deletevalue truncatememory
     
    A computer reboot is required.
     

In some cases, MEMORY.DMP file cannot be found in the expected folder.

To avoid this, create the following DWORD registry value:

	[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
	"AlwaysKeepMemoryDump"=dword:0000000
	
 
A computer reboot is required.
 
 
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000250825
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.