Your New Jekyll Site


Creating a memory dump

25 Apr 2011

Installing Visual Studio on a production machine is in most cases out of the question. Sometimes, even a debugger with a minimal footprint which need no installation is a viable option. In those cases, you should consider analyzing a memory dump of the process.

Kernel dump – Mainly for operating system and device driver development

User dump – That is for normal applications

32 bit – Vista, Windows 7, Windows Server

The absolute easiest way to create a dump is by using the task manager.

Image of windbg

This will create a full user dump, which is the type of dump you normally want to have.

64 bit – Vista, Windows 7, Windows Server

In a 64 bit Windows, things get a bit complicated. If you want to save a 64 bit memory dump of a 64 bit application, you just save it from the task manager.

To save a memory dump of a 32 bit application, you must use the 32 bit version of the task manager. You find it here C:WindowsSysWOW64TaskMgr.exe.

The reason for this is that 32 bit apps runs in a virtualized mode, it gets boxed inside a 64 bit process. If you just save the dump, you will get this 64 bit dump. In Windbg you can switch view and and look on it in a 32 bit view, but the best approach is actually to save it correctly from the beginning.

To have a safe and general way to save dumps across any Windows version. I would recommend using ProcDump from sysinternals, which automatically saves the correct type of dump. Read the next section, to find instructions for using ProcDump.

Windows XP

In Win XP, the task manager doesn’t support saving memory dumps, so we have to rely on another tool. I would recommend ProcDump from sysinternals,

To dump a process we use the Process Id, which can be found in the task manager. By default this information isn’t displayed, but you can enable it by selecting the columns that should be displayed.

Image of windbg

Image of windbg

This is how you save a full user dump with ProcDump

c:>ProcDump –ma 2380