By Mark Russinovich and Andrew Richards
Published: May 16, 2017
Download ProcDump (439 KB)
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
usage: procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]] [-f <filter,...>] [-g] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o] [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] [-64] <[-w] <process name or service name or PID> [dump file] | -i <dump file> | -u | -x <dump file> <image file> [arguments] >] [-? [ -e]
|-a||Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.|
|-at||Avoid outage at Timeout. Cancel the trigger's collection at N seconds.|
|-b||Treat debug breakpoints as exceptions (otherwise ignore them).|
|-c||CPU threshold at which to create a dump of the process.|
|-cl||CPU threshold below which to create a dump of the process.|
|-d||Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.|
|-e||Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.|
|-f||Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.|
|-fx||Filter (exclude) on the content of exceptions and debug logging. Wildcards are supported.|
|-g||Run as a native debugger in a managed process (no interop).|
|-h||Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).|
|-i||Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options.|
|-k||Kill the process after cloning (-r), or at the end of dump collection|
|-l||Display the debug logging of the process.|
|-m||Memory commit threshold in MB at which to create a dump.|
|-ma||Write a dump file with all process memory. The default dump format only includes thread and handle information.|
|-mc||Write a custom dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex).|
|-md||Write a Callback dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL.|
|-mk||Also write a Kernel dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size.|
|-ml||Trigger when memory commit drops below specified MB value.|
|-mm||Write a mini dump file (default).|
|-mp||Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.|
|-n||Number of dumps to write before exiting.|
|-o||Overwrite an existing dump file.|
|-p||Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(<name>_<pid>)\counter"|
|-pl||Trigger when performance counter falls below the specified value.|
|-r||Dump using a clone. Concurrent limit is optional (default 1, max 5).
CAUTION: a high concurrency value may impact system performance.
- Windows 7 : Uses Reflection. OS doesn't support -e.
- Windows 8.0 : Uses Reflection. OS doesn't support -e.
- Windows 8.1+: Uses PSS. All trigger types are supported.
|-s||Consecutive seconds before dump is written (default is 10).|
|-t||Write a dump when the process terminates.|
|-u||Treat CPU usage relative to a single core (used with -c).
As the only option, Uninstalls ProcDump as the postmortem debugger.
|-w||Wait for the specified process to launch if it's not running.|
|-wer||Queue the (largest) dump to Windows Error Reporting.|
|-x||Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only).|
|-64||By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.|
|-?||Use -? -e to see example command lines.|
If you omit the dump file name, it defaults to <processname>_<datetime>.dmp.
Use the -accepteula command line option to automatically accept the Sysinternals license agreement.
Setting an event with name "procdump-<PID>" is the same as typing Ctrl+C to gracefully terminate ProcDump
Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp
The following substitutions are supported:
PROCESSNAME Process Name
Process ID PID
EXCEPTIONCODE Exception Code
Write a mini dump of a process named 'notepad' (only one match can exist):
Write a full dump of a process with PID '4572':
C:\>procdump -ma 4572
Write 3 mini dumps 5 seconds apart of a process named 'notepad':
C:\>procdump -s 5 -n 3 notepad
Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 consume
Write a mini dump for a process named 'hang.exe' when one of it's Windows is unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe hungwindow.dmp
Write a mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10 seconds:
C:\>procdump outlook -p "\Processor(_Total)\% Processor Time" 20
Write a full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:
C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000
Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:
C:\>procdump -mp -e store.exe
Display without writing a dump, the exception codes/names of w3wp.exe:
C:\>procdump -e 1 -f "" w3wp.exe
Write a mini dump of w3wp.exe if an exception's code/name contains 'NotFound':
C:\>procdump -e 1 -f NotFound w3wp.exe
Launch a process and then monitor it for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumps consume.exe
Register for launch, and attempt to activate, a modern 'application'. A new ProcDump instance will start when it activated to monitor for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumpsMicrosoft.BingMaps_8wekyb3d8bbwe!AppexMaps
Register for launch of a modern 'package'. A new ProcDump instance will start when it is (manually) activated to monitor for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumps Microsoft.BingMaps_22.214.171.124_x64__8wekyb3d8bbwe
Register as the Just-in-Time (AeDebug) debugger. Makes full dumps in c:\dumps.
C:\>procdump -ma -i c:\dumps
See a list of example command lines (the examples are listed above):
C:\>procdump -? -e
- Windows Internals Book
The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
- Windows Sysinternals Administrator's Reference
The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.
Download ProcDump (439 KB)
- Client: Windows Vista and higher.
- Server: Windows Server 2008 and higher.
- Defrag Tools: #9 -
This episode of Defrag Tools covers what the tool captures and expected outage durations
- Defrag Tools: #10 - ProcDump -
This episode covers trigger options in particular 1st & 2nd chance exceptions
- Defrag Tools: #11 - ProcDump - Windows 8 & Process
This episode covers modern application support and Process Monitor logging support