There are times when tools such as DebugDiag, ADPlus or UserDump fail to capture a dump when a process terminates unexpectedly. When that happens, we can launch the process inside the debugger to ensure that we capture a dump. Here’s how we do it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"Debugger"="C:\\Program Files\\Debugging Tools for Windows\\cdb.exe -g"
Once you have the information imported to the registry, you can restart the process that you are monitoring. When the process terminates, it will break back into the debugger. At this point, you can run the following command to dump out the process: .dump /ma c:\user.dmp
You can change the path and filename of the dump as needed. Remember that this method should be used in the event that other methods of capturing the dump file are not working. That’s all for today – thanks for stopping by!
- Aaron Maxwell
|Share this post :||
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.