How to get a user dump and immediate kernel dump in Windows on application crash.

Scenario

Application crashes randomly. Dump attempts have been spotty and point to a potential kernel issue. You want a dump of the process + a dump of the Windows kernel to examine.

  1. Download DebugDiag 2.3
  2. Download NotMyFault
  3. Optional: Configure Windows for a kernel dump (requires restart)

Install DebugDiag 2.3 as administrator. It creates a service so once you’re done you don’t need to keep logged onto the console for the trap to work.

Attach the debugger (follow the collection wizard) to the process from which you need a usermode dump.

Decompress NotMyFault somewhere easy to get to (we used D:\temp).

Make a batch file to run NotMyFault.

schtasks /delete /TN \Microsoft\Windows\PLA\* /F
D:\temp\notmyfault /crash

Save it as D:\temp\stop.bat

The batch file will delete its source tasks from task scheduler and then crash the Windows host with a kernel dump (if you configured step 3, if not it will be an ‘automatic’ dump, which may still be ok.

Create a Perfmon Alert trigger

Get the PID (process id) of the crashing user mode process (taskmanager/details will show you this)

Start perfmon. Create a new user data collector set.

Name it ‘stop above’ and select the “Advanced” radio button.

 

Select “Performance Counter Alert”

For the top left pane, expand “Process” and then select “ID Process”. Perfmon is quirky so you may need to click something else then click back to “ID Process”. Then in the bottom left pane, pick the process name (in my example, AISuite3). Click Add.

Set the alert for when Above and Limit (the pid, in my case, 777)

Do the same for below with a below rule on 777. The end result should be 2 data collectors.

Click on each blue cube and go to the right and right-click and properties each Data Collector. Set the task to D:\temp\stop.bat

So that each data collector task does the same thing.

 

Right-click/start both Data Collector Sets so that if the PID of your process changes from the one specific in the two data collector sets, the system crashes.

When this all happens, the machine will reboot, you’ll have a memory.dmp file in C:\Windows, and a user-mode dump of your target process in the DebugDiag folder (or elsewhere if you configured that path differently).

Enjoy.

Jeff

 

 

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.