In some cases, we need dumps to know the cause of performance issues hang and crash issues.
This article will provide the general steps on collecting log dumps for different scenarios.
-
Enable crash dump collection by running the following prompt:
C:\WINDOWS\system32\drwtsn32.exe -i
-
Run the following prompt to open the "drwtsn32" configuration UI:
C:\WINDOWS\system32\drwtsn32.exe
-
Set crash dump to "Full" and select the dump file saving location:
- Trigger the application crash.
- Get the dump file: "%userprofile%\Local Settings\Application Data\Microsoft\Dr Watson\user.dmp" (default).
-
Put the Dump_File_Collection.zip file to reproducible computer's local disk.
- Uncompress the zip file (Unzip password is "Trend").
- Follow the "readme.txt" to get the crash dump.
- Remove the added keys in the reg file to disable crash dump collection.
Method 1: Procdump
- Download Prodump.
-
Uncompress it, and run following prompt to get application hang dump:
-
X86 platform:
procdump.exe <parameters>
-
X64 platform:
procdump64.exe <parameters>
Examples:
-
Write a full dump of a process with PID '4572':
C:\>procdump -ma 4572
-
Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 -ma 4572
-
- Use process ID (PID) here, instead of process name to avoid multiple processes with the same names. [23:08:46] Multiple processes match the specified name.
- For more detailed information, refer to the Microsoft ProcDump page.
- Find the process ID (PID) from prompt "tasklist".
Method 2: Process Explorer
- Download Process Explorer.
- Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
- Find out the the process from the process tree.
-
Right click on the process, and choose Create Dump > Create Full Dump...
Method 1: Procdump
- Download Prodump.
-
Uncompress it, and run following prompt to get application hang dump:
-
X86 platform:
procdump.exe <parameters>
-
X64 platform:
procdump64.exe <parameters>
Examples:
-
Write a full dump of a process with PID '4572':
C:\>procdump -ma 4572
-
Write up to 3 full dumps of a process with PID '4572' when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 -ma 4572
-
-
Use the process ID (PID) here, instead of process name to avoid multiple processes with the same names.
[23:08:46] Multiple processes match the specified name.
-
For more detailed information, refer to the Microsoft ProcDump page.
Find the process ID (PID) from prompt "tasklist".
Method 2: Process Explorer
- Download Process Explorer.
- Uncompress it, and open procexp.exe (x86 platform) or procexp64.exe (x64 platform).
- Find out the the process from the process tree.
-
Right-click on the process and choose Create Dump > Create Full Dump...
Method 3: Task Manager
- Run "taskmgr".
- Find out the the process from the task manager's process tree.
- Right-click on the process and choose Create dump file.
-
Select a dump category: Normally, we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
- Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.
-
Select a dump category: Normally we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
- Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.
Cannot get "Complete memory dump"
In some environments, the computer's memory size is greater than 2 GB (not including 2 GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.
- In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
-
Use following command to make this option visible: (Run as administrator)
C:\> bcdedit /set {current} truncatememory 0x80000000
A computer reboot is required. -
To revert changes run: (Run as administrator)
C:\> bcdedit /deletevalue truncatememory
A computer reboot is required.
In some cases, MEMORY.DMP file cannot be found in the expected folder.
To avoid this, create the following DWORD registry value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:0000000
-
Select a dump category: Normally, we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
- Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.
-
Select a dump category: Normally we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
-
Trigger a dump file generation via keyboard.
Refer to this Microsoft article: Forcing a System Crash from the Keyboard.
Please pay attention to the keyboard connection port: PS/2 or USB. - Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.
-
Select a dump category: Normally, we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
-
Trigger a dump file generation via keyboard.
Refer to this Microsoft article: Forcing a System Crash from the Keyboard.
Please pay attention to the keyboard connection port: PS/2 or USB. - Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.
Cannot get "Complete memory dump"
In some environments, the computer's memory size is greater than 2 GB (not including 2GB). When you want to get complete memory dump, but there is no "Complete memory dump" option.
- In Windows NT 6.0 or 6.1, this options is hidden by default if the computer's memory size is greater than 2 GB (not including 2GB).
-
Use following command to make this option visible: (Run as administrator)
C:\> bcdedit /set {current} truncatememory 0x80000000
A computer reboot is required. -
To revert changes run: (Run as administrator)
C:\> bcdedit /deletevalue truncatememory
A computer reboot is required.
In some cases, MEMORY.DMP file cannot be found in the expected folder.
To avoid this, create the following DWORD registry value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:0000000
-
Select a dump category: Normally, we choose Complete memory dump.
Refer to this Microsoft article: Enabling a Kernel-Mode Dump File.
- Reproduce the crash issue.
-
Trigger a dump file generation via keyboard.
Refer to this Microsoft article: Forcing a System Crash from the Keyboard.
Please pay attention to the keyboard connection port: PS/2 or USB. - Get the dump file from reproduced computer, and compress it.
- Provide the compressed file to Trend Micro.