Two Minute Drill: Using PROCDUMP

Two Minute Drill: Using PROCDUMP

  • Comments 9
  • Likes

Hello again AskPerf!  Blake Morrison here to introduce you to a new tool from Sysinternals called ProcDump.  If you are familiar with AdPlus then ProcDump will be a welcome addition to your debugging arsenal.  ProcDump is a new command line tool which allows you to monitor a running process for CPU spikes, and then create a memory dump (or dumps) based on specific criteria.

For example, you have a server where a particular process is spiking CPU usage for 1-2 minutes per day at random times, and you have been unable to capture a dump to determine why this is occurring.  Using ProcDump, you can tell it to monitor the process and create process dumps based on the amount of time it has consumed CPU.  A quick note here, when Procdump captures the dump file, it does not kill the running process.

OK, let’s take a look at the command parameters:

Parameter Information
-64 If you are running ProcDump on a x64 system, then by default ProcDump captures a 32-bit dump of a 32-bit process.  The –64 switch overrides this and creates a 64-bit dump
-c Defines the CPU threshold for the process
-e Writes a dump when the process encounters an unhandled exception
-h Writes a dump if the process has a hung window
-ma Writes a dump file with all process memory.  The default includes thread and handle information
-n Number of dumps to create.  Those of you that have worked with us in the past may have used ADPlus to capture a series of process dumps for high CPU issues – it’s the same concept
-o Overwrite an existing dump file
-r Reflect (clone) the process (Windows 7 and higher only) – this helps to minimize the time required to suspend the process while the dump is written
-s Number of consecutive seconds that the process has to be over the CPU threshold before the dump is written.  This helps to differentiate between what may be a normal spike and sustained high CPU
-u Treat CPU usage relative to a single core
-x Launch the specified image with optional arguments

Now let’s examine some common scenarios and the appropriate Procdump command for each one:

Scenario: Wait for the Spooler to spike the CPU for 30 seconds at 90%.  When this occurs, we need to create 5 dump files named SPOOLSV_date_time.dmp in the c:\dumps folder with all process memory:

Procdump.exe –c 90 –n 5 –ma –s 30 spoolsv.exe c:\dumps

Scenario: Create a simple dump (thread and handle only) of Calculator in c:\temp:

Procdump.exe calc.exe c:\temp

Scenario: Capture a dump of Outlook called Outlook_hang.dmp when one of its windows is unresponsive:

Procdump.exe –h outlook.exe c:\dumps\Outlook_hang.dmp

Scenario: Start a process and then monitor it for high CPU usage over 50% for 20 seconds

Procdump.exe –c 50 –s 20 –x notepad.exe c:\dumps\notepad.dmp

As you can see, there are many powerful features in ProcDump.  It is definitely a useful tool to have in your troubleshooting toolkit.  With that, we’ve reached the end of our post.  Enjoy the rest of your week!

Additional Resources:

- Blake Morrison

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Even better - procdump can be run from live.sysinternals.com, on a system that is connected to the internet - \\live.sysinternals.com\tools\procdump.exe <rest of command-line> - no need to download anything...

  • It might have been posted before, but I'm still curious what is the best way to analyze the dumps we create with procdump?

  • @CypherBit

    Debugging Tools for Windows, probably WinDbg...

  • This is the correct URL

    http://live.sysinternals.com/tools/procdump.exe

  • @Surfdork

    That link will let you download procdump.exe, yes.  But you can run the tool directly via WebDAV, using the previously provided command, without needing to download it.

  • Hi All,

    It is possible to monitor processes that does not exists but will be created? eg. I would like to monitor w3wp.exe worker process at any point of time when it is started by the svcshost.exe process.

    It because w3wp.exe can be alive and die at any point of time.

    Regards

  • @Rene The only functionality close to what you're describing would be to have procdump launch the process itself which isn't feasible with w3wp.

    That's not to say you couldn't use another tool to monitor for an event or threshold and execute procdump then.

  • Is it possible to run it as service on Windows server 2008?

  • from where i get the symbol for outlook to analyze the outlook hang dump