How to get a dump of a specific crashing process in Windows
This document (7013369) is provided subject to the disclaimer at the end of this document.
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
The Windows Application event log is reporting that a process has terminated unexpectedly.
Entire system crash:
Configure "DumpType"=dword:00000002 in the Windows Error Reporting (WER) configuration (Microsoft KB Article 931673) before duplicating the issue again. This will cause the full process dumps needed for analysis to be generated in the .\ProgramData\Microsoft\Windows\WER\ReportQueue\ directory when the crash occurs.
Specific process crash:
1. With the issue duplicating, open Task Manager, and then "Show processes for all users", to show whether the process is running
2. If the process is running, use the Task Manager "Create dump" option to create a dump of the state for the offending process.
3. Export the Windows "System" and "Application" event logs. (In "Event Viewer" go to "Windows Logs", right-click "Application" or "System", and select "Save all events as".) Export them twice: Once in the native .EVTX file format, and then again in .XML format. In both cases, when prompted for the language information to include, select the English language information.
Normally the full dump will be written to C:\Users\<username>\AppData\Local\CrashDumps\ by default, but if the crashing process is a Windows service, it may go to C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\ instead. If unable to locate the dump, search the file system for .DMP files to find where it was written. It is also possible to explicitly define the "DumpFolder" configuration as described in the MSDN article "Collecting User-Mode Dumps." .
In some cases, a dump captured using Task Manager cannot be analyzed, as when a 32-bit process is running on an otherwise 64-bit machine (indicated by "*32" behind the image name listed in Task Manager). In this case, Microsoft's TASKMGR.EXE creates a 64-bit dump of the 32-bit process instead of a 32-bit dump of the process. While all of the information is in the 64-bit dump, it cannot be analyzed without Microsoft internal tools and debugger extensions.
In this case, use one of the following procedures instead:
Task Manager from a Command Prompt
1. Instead of running TASKMGR.EXE normally, launch a Command Prompt using "Run as Administrator."
2. Switch to the C:\Windows\SYSWOW64\ directory instead of the default C:\Windows\SYSTEM32\ directory.
3. From the SYSWOW64 folder in the Command Prompt, run TASKMGR.EXE which is the 32-bit version of TASKMGR.EXE.
4. From the 32-bit Task Manager window, right-click and select "Create Dump" on the MSQRY32.EXE process instances running. By using the 32-bit version of TASKMGR.EXE, a 32-bit dump of the process will be created.
Note: There can be difficulties in successfully achieving launch of the 32-bit TASKMGR.EXE using Windows Explorer, so the Command Prompt method described is recommended.
1. Download and run the current Process Explorer using "Run as Administrator."
2. Find the offending process(es) and right-click to select "Create Dump -> Create Full Dump".
Process Explorer creates a 32-bit dump of 32-bit processes, even when the 64-bit version of Process Explorer is running.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7013369
- Creation Date:25-SEP-13
- Modified Date:26-SEP-13
Did this document solve your problem? Provide Feedback