Installing Visual Studio on a production machine is in most cases out of the question. Sometimes, even a debugger with a minimal footprint which need no installation is a viable option. In those cases, you should consider analyzing a memory dump of the process.
Kernel dump – Mainly for operating system and device driver development
- Small memory dump
- Complete memory dump
User dump – That is for normal applications
- Mini dump – Only includes basic information about the loaded modules that make up the target process, thread information, and stack information
- Full dump – This dump file includes the entire memory space of a process Creating a memory dump
32 bit – Vista, Windows 7, Windows Server
The absolute easiest way to create a dump is by using the task manager.
This will create a full user dump, which is the type of dump you normally want to have.
64 bit – Vista, Windows 7, Windows Server
In a 64 bit Windows, things get a bit complicated. If you want to save a 64 bit memory dump of a 64 bit application, you just save it from the task manager.
To save a memory dump of a 32 bit application, you must use the 32 bit version of the task manager. You find it here C:WindowsSysWOW64TaskMgr.exe.
The reason for this is that 32 bit apps runs in a virtualized mode, it gets boxed inside a 64 bit process. If you just save the dump, you will get this 64 bit dump. In Windbg you can switch view and and look on it in a 32 bit view, but the best approach is actually to save it correctly from the beginning.
To have a safe and general way to save dumps across any Windows version. I would recommend using ProcDump from sysinternals, which automatically saves the correct type of dump. Read the next section, to find instructions for using ProcDump.
To dump a process we use the Process Id, which can be found in the task manager. By default this information isn’t displayed, but you can enable it by selecting the columns that should be displayed.
This is how you save a full user dump with ProcDump
c:>ProcDump –ma 2380