Description
Sometimes it is necessary to get memory dumps of Windows processes to help troubleshoot Enterprise Vault or other application issues.
Two main common scenarios exist where dumps are helpful:
1) A Windows process appears to hang or stop responding.
2) A Windows process crashes with an unhandled exception or application fault.
ProcDump is a SysInternals tool that can be used to investigate both scenarios and can be downloaded here:
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
Note: The examples below only scratch the surface of what ProcDump can do. Refer to the ProcDump link for a complete reference.
Hang Dumps
For hang dumps to be effective for diagnosis, the hang must currently be happening when the ProcDump command is run.
One Dump
When a process appears to stop responding, a full dump can be triggered immediately with:
procdump -ma [process name or PID] [output file or folder]
For example if the hanging process is Notepad.exe the command would be:
procdump -ma Notepad.exe
Since no output folder was specified, it will save the dump to the current working directory.
To save the dump to d:\dumps, use:
procdump -ma Notepad.exe d:\dumps
The above commands trigger one full dump and then stop. The commands will error if the process isn't running, or if there is more than one instance of it running. In the case of multiple instances running, use Task Manager to obtain the PID of the process for which a dump needs to be obtained and use that instead of the process name.
Multiple Consecutive Timed Dumps
Since a memory dump is just a snapshot in time of a process's memory, with hangs it often takes multiple consecutive dumps to understand the problem. ProcDump can do this automatically. Sticking with the Notepad example, we can trigger 3 dumps of Notepad.exe 30 seconds apart with:
procdump -ma -n 3 -s 30 Notepad.exe d:\dumps
The new options introduced here are -n 3, telling it to do 3 dumps, and -s 30, telling it to wait 30 seconds between dumps.
Crash Dumps
ProcDump can also trigger dumps when a process crashes. It can be useful in some cases.
For instance, if Outlook.exe is crashing when clicking on a certain button, a dump could be collected with ProcDump using the following steps:
1) Launch Outlook (but do not reproduce the crash yet).
2) Run with an elevated command prompt:
procdump -ma -e Outlook.exe
3) Reproduce the crash.
ProcDump will write a crash dump to the current folder when the crash happens. The -e option tells it to wait for a crash before writing the dump.
ProcDump might not be the best tool for crash dumps if the target process has more than one instance running (like StorageOnlineOpns.exe.) Same if the process spawns and exits frequently, like StorageCrawler.exe. In these cases LocalDumps from Windows Error Reporting (WER) is best - see Related Articles below.
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.