ProcDump v10.0

By Mark Russinovich and Andrew Richards

Published: 09/17/2020

Download Download ProcDump (659 KB)

Download ProcDump for Linux (GitHub)

Introduction

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.

Using ProcDump

Capture Usage:

procdump.exe [-mm] [-ma] [-mp] [-mc Mask] [-md Callback_DLL] [-mk]
             [-n Count]
             [-s Seconds]
             [-c|-cl CPU_Usage [-u]]
             [-m|-ml Commit_Usage]
             [-p|-pl Counter_Threshold]
             [-h]
             [-e [1 [-g] [-b]]]
             [-l]
             [-t]
             [-f  Include_Filter, ...]
             [-fx Exclude_Filter, ...]
             [-o]
             [-r [1..5] [-a]]
             [-at Timeout]
             [-wer]
             [-64]
             {
                 {{[-w] Process_Name | Service_Name | PID} [Dump_File | Dump_Folder]}
             |
                 {-x Dump_Folder Image_File [Argument, ...]}
             }

Install Usage:

procdump.exe -i [Dump_Folder]
             [-mm] [-ma] [-mp] [-mc Mask] [-md Callback_DLL] [-mk]
             [-r]
             [-at Timeout]
             [-k]
             [-wer]

Uninstall Usage:

procdump.exe -u
Parameter Description
-a Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.
-at Avoid outage at Timeout. Cancel the trigger's collection at N seconds.
-b Treat debug breakpoints as exceptions (otherwise ignore them).
-c CPU threshold at which to create a dump of the process.
-cl CPU threshold below which to create a dump of the process.
-d Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.
-e Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.
-f Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.
-fx Filter (exclude) on the content of exceptions and debug logging. Wildcards are supported.
-g Run as a native debugger in a managed process (no interop).
-h Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).
-i Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options.
-k Kill the process after cloning (-r), or at the end of dump collection
-l Display the debug logging of the process.
-m Memory commit threshold in MB at which to create a dump.
-ma Write a dump file with all process memory. The default dump format only includes thread and handle information.
-mc Write a custom dump file. Include memory defined by the specified MINIDUMP_TYPE mask (Hex).
-md Write a Callback dump file. Include memory defined by the MiniDumpWriteDump callback routine named MiniDumpCallbackRoutine of the specified DLL.
-mk Also write a Kernel dump file. Includes the kernel stacks of the threads in the process. OS doesn't support a kernel dump (-mk) when using a clone (-r). When using multiple dump sizes, a kernel dump is taken for each dump size.
-ml Trigger when memory commit drops below specified MB value.
-mm Write a mini dump file (default).
-mp Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.
-n Number of dumps to write before exiting.
-o Overwrite an existing dump file.
-p Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(<name>_<pid>)\counter"
-pl Trigger when performance counter falls below the specified value.
-r Dump using a clone. Concurrent limit is optional (default 1, max 5).
CAUTION: a high concurrency value may impact system performance.
- Windows 7   : Uses Reflection. OS doesn't support -e.
- Windows 8.0 : Uses Reflection. OS doesn't support -e.
- Windows 8.1+: Uses PSS. All trigger types are supported.
-s Consecutive seconds before dump is written (default is 10).
-t Write a dump when the process terminates.
-u Treat CPU usage relative to a single core (used with -c).
As the only option, Uninstalls ProcDump as the postmortem debugger.
-w Wait for the specified process to launch if it's not running.
-wer Queue the (largest) dump to Windows Error Reporting.
-x Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only).
-64 By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.
-? Use -? -e to see example command lines.

If you omit the dump file name, it defaults to <processname>_<datetime>.dmp.

Use the -accepteula command line option to automatically accept the Sysinternals license agreement.

Automated Termination:
Setting an event with name "ProcDump-<PID>" is the same as typing Ctrl+C to gracefully terminate ProcDump

Filename:
Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp
The following substitutions are supported:
      PROCESSNAME      Process Name
      Process ID              PID
      EXCEPTIONCODE   Exception Code
      YYMMDD               Year/Month/Day
      HHMMSS               Hour/Minute/Second

Examples

Write a mini dump of a process named 'notepad' (only one match can exist):

C:\>procdump notepad

Write a full dump of a process with PID '4572':

C:\>procdump -ma 4572

Write 3 mini dumps 5 seconds apart of a process named 'notepad':

C:\>procdump -s 5 -n 3 notepad

Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:

C:\>procdump -c 20 -s 5 -n 3 consume

Write a mini dump for a process named 'hang.exe' when one of it's Windows is unresponsive for more than 5 seconds:

C:\>procdump -h hang.exe hungwindow.dmp

Write a mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10 seconds:

C:\>procdump outlook -p "\Processor(_Total)\% Processor Time" 20

Write a full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:

C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000

Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:

C:\>procdump -mp -e store.exe

Display without writing a dump, the exception codes/names of w3wp.exe:

C:\>procdump -e 1 -f "" w3wp.exe

Write a mini dump of w3wp.exe if an exception's code/name contains 'NotFound':

C:\>procdump -e 1 -f NotFound w3wp.exe

Launch a process and then monitor it for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumps consume.exe

Register for launch, and attempt to activate, a modern 'application'. A new ProcDump instance will start when it activated to monitor for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumpsMicrosoft.BingMaps_8wekyb3d8bbwe!AppexMaps

Register for launch of a modern 'package'. A new ProcDump instance will start when it is (manually) activated to monitor for exceptions:

C:\>procdump -e 1 -f "" -x c:\dumps Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe

Register as the Just-in-Time (AeDebug) debugger. Makes full dumps in c:\dumps:

C:\>procdump -ma -i c:\dumps

See a list of example command lines (the examples are listed above):

C:\>procdump -? -e

  • Windows Internals Book
    The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon.
  • Windows Sysinternals Administrator's Reference
    The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use.

Download Download ProcDump (659 KB)

Download ProcDump for Linux (GitHub)

Runs on:

  • Client: Windows Vista and higher.
  • Server: Windows Server 2008 and higher.

Learn More