By Mark Russinovich and Andrew Richards
Published: May 16, 2017
Download ProcDump (439 KB)
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
usage: procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]] [-f <filter,...>] [-g] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o] [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] [-64] <[-w] <process name or service name or PID> [dump file] | -i <dump file> | -u | -x <dump file> <image file> [arguments] >] [-? [ -e]
|-a||Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.|
|-b||Treat debug breakpoints as exceptions (otherwise ignore them).|
|-c||CPU threshold at which to create a dump of the process.|
|-cl||CPU threshold below which to create a dump of the process.|
|-d||Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.|
|-e||Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.|
|-f||Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.|
|-g||Run as a native debugger in a managed process (no interop).|
|-h||Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).|
|-i||Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options.|
|-l||Display the debug logging of the process.|
|-m||Memory commit threshold in MB at which to create a dump.|
|-ma||Write a dump file with all process memory. The default dump format only includes thread and handle information.|
|-ml||Trigger when memory commit drops below specified MB value.|
|-mp||Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.|
|-n||Number of dumps to write before exiting.|
|-o||Overwrite an existing dump file.|
|-p||Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(<name>_<pid>)\counter"|
|-pl||Trigger when performance counter falls below the specified value.|
|-r||Dump using a clone. Concurrent limit is optional (default 1, max 5).
CAUTION: a high concurrency value may impact system performance.
- Windows 7 : Uses Reflection. OS doesn't support -e.
- Windows 8.0 : Uses Reflection. OS doesn't support -e.
- Windows 8.1+: Uses PSS. All trigger types are supported.
|-s||Consecutive seconds before dump is written (default is 10).|
|-t||Write a dump when the process terminates.|
|-u||Treat CPU usage relative to a single core (used with -c).
As the only option, Uninstalls ProcDump as the postmortem debugger.
|-w||Wait for the specified process to launch if it's not running.|
|-x||Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only).|
|-64||By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.|
|-?||Use -? -e to see example command lines.|
If you omit the dump file name, it defaults to <processname>_<datetime>.dmp.
Use the -accepteula command line option to automatically accept the Sysinternals license agreement.
Write a mini dump of a process named 'notepad' (only one match can exist):
Write a full dump of a process with PID '4572':
C:\>procdump -ma 4572
Write 3 mini dumps 5 seconds apart of a process named 'notepad':
C:\>procdump -s 5 -n 3 notepad
Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 consume
Write a mini dump for a process named 'hang.exe' when one of it's Windows is unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe hungwindow.dmp
Write a mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10 seconds:
C:\>procdump outlook -p "\Processor(_Total)\% Processor Time" 20
Write a full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:
C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000
Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:
C:\>procdump -mp -e store.exe
Display without writing a dump, the exception codes/names of w3wp.exe:
C:\>procdump -e 1 -f "" w3wp.exe
Write a mini dump of w3wp.exe if an exception's code/name contains 'NotFound':
C:\>procdump -e 1 -f NotFound w3wp.exe
Launch a process and then monitor it for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumps consume.exe
Register for launch, and attempt to activate, a modern 'application'. A new ProcDump instance will start when it activated to monitor for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumpsMicrosoft.BingMaps_8wekyb3d8bbwe!AppexMaps
Register for launch of a modern 'package'. A new ProcDump instance will start when it is (manually) activated to monitor for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumps Microsoft.BingMaps_220.127.116.11_x64__8wekyb3d8bbwe
Register as the Just-in-Time (AeDebug) debugger. Makes full dumps in c:\dumps.
C:\>procdump -ma -i c:\dumps
See a list of example command lines (the examples are listed above):
C:\>procdump -? -e
- Windows Internals Book
The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
- Windows Sysinternals Administrator's Reference
The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.
Download ProcDump (439 KB)
- Client: Windows Vista and higher.
- Server: Windows Server 2008 and higher.
- Defrag Tools: #9 -
This episode of Defrag Tools covers what the tool captures and expected outage durations
- Defrag Tools: #10 - ProcDump -
This episode covers trigger options in particular 1st & 2nd chance exceptions
- Defrag Tools: #11 - ProcDump - Windows 8 & Process
This episode covers modern application support and Process Monitor logging support