How To: Generate Dump Files for Running Processes, Hanging or Frozen Processes, Crashing Processes, Blue Screens, or a Controlled Blue Screen dump

Version 13

     

    This article describes the methods used to generate dump files and troubleshoot the following:

     

    Running Processes

    Hanging or Frozen Processes

    Crashing Processes

    Blue Screens

    Controlled Blue Screens

     


    Running Processes

     

    Manual crash dumps are useful for diagnosing application hangs or freezes and also for running processes. Due to the size of manual crash dumps though, please do not send them in unrequested. To create a manual crash dump, Microsoft's ProcDump utility may be used.

     

    1. Download ProcDump from the Microsoft website.
      ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts  Further information: ProcDump - Windows Sysinternals | Microsoft Docs
    2. Once you have downloaded the Procdump.zip file, right click on it and choose 'Extract all...', and save it to a directory of your choice. A recommended location might be a ProcDump folder on your Desktop, such as C:\Users\User Name\Desktop\ProcDump where "User Name" is your own user name.
    3. Open a console Window. To do this, type 'cmd' into the Windows search box (Cortana on Windows 10) and wait for 'Command prompt' to appear. Right-click on it and choose 'Run as administrator'. Say yes to the UAC prompt that may appear.
    4. Change directory (cd) to the location ProcDump.zip was extracted to by executing (typing the command and pressing Enter) the following command, making sure to put a space between the command (cd) and the argument (ProcDump_path)

      cd"<ProcDump_path>"
      For example, the command to type might be:

      cd "C:\Users\User Name\Desktop\ProcDump"

      This assumes you may have created a ProcDump folder on your desktop, and put the Procdump program in it. The quotes are important if there are any spaces in the path. This is true for many commands, not just cd.

    5. Create the process dump by executing the following command, or the one provided by a helper:

      ProcDump.exe -ma <process name or PID (Process ID)>

      A few examples:

      ProcDump.exe -ma ldiscn32.exe
      ProcDump.exe -ma 512

     

    The crash dump will be saved in the ProcDump directory and will be named based on the process name and the current time/date.

     


    Hanging or Frozen Processes

     

    The same steps can be taken as used for running processes

     


    Crashing Processes

     

    This process will enable minidumps, full dumps, or disable dumps for crashing applications.

     

    • Download the attached .ZIP file to your system and unpack it to a location of your choice.
    • The names of the registry files are pretty self-explanatory:
    • "enable_mini_crash_dumps.reg" will enable mini crash dumps for all application crashes and is the setting we recommend during testing.
    • "enable_full_crash_dumps.reg" will enable full crash dumps for all application crashes and should only be used after a developer requests a full crash dump.

    Generally, full crash dumps are required for effective troubleshooting.  Unless otherwise specified by the technician always gather full crash dumps.

    • "disable_all_crash_dumps.reg" will disable all crash dump generation and is the Windows default behavior.

     

    The settings become active immediately, no reboot is required. The crash dumps will be stored inside the "CrashDumps" sub-directory of your public profile (usually C:\Users\Public\CrashDumps).

     

     


    Blue Screens

     

    In the case of a blue screen, a memory dump will need to be gathered.  The following describes how to set the default blue screen dump type.   Most of the time a "Kernel" memory dump will suffice, however it is possible a developer will ask for a Complete memory dump.

     

      1. Right-click "My computer" and choose "Properties"
      2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
      3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel Memory Dump" or Complete memory dump"
      4. Make note of the path that the MEMORY.DMP file will be saved to.
      5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.

    A complete memory dump or kernel memory dump must be supplied, a mini dump does not supply sufficient information.

     

    See Varieties of Kernel-Mode Dump Files (Windows Debuggers) for details about memory dump options.

     

     


    Controlled Blue Screens

     

    Controlled blue screens are a safe and useful way to diagnose complete system hangs or freezes. Due to the size of the resulting memory dumps (a kernel or full memory dump is required) though we will explicitly ask you to perform a controlled blue screen. So there is no reason to keep this option enabled all the time.

     

    1. Use the Windows key + R keyboard shortcut to open the Run command.
    2. Type REGEDIT, and then press enter to open the registry.
    3. Browse the following path:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
    4. Right-click on the right side, select New, and then click on DWORD (32-bit) Value.



    5. Name the new DWORD CrashOnCtrlScroll and press Enter.
    6. Double-click the newly created DWORD and change its value from 0 to 1.
    7. Click OK to confirm the new value.
    8. Browse the following path:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
    9. Right-click on the right side, select New, and then click on DWORD (32-bit) Value.
    10. Name the new DWORD CrashOnCtrlScroll and press Enter.
    11. Double-click the newly created DWORD and change its value from 0 to 1.
    12. Click OK to confirm the new value.
    13. Restart your computer to apply the new settings.

     

    Once you complete these steps, you can use your keyboard to intentionally crash your computer by holding down the (right) Ctrl key, and pressing the Scroll Lock twice.

    Windows 10 will then trigger a KeBugCheck and generate a 0xE2 error displaying a BSOD with a "MANUALLY_INITIATED_CRASH" message. This will also create and save a crash dump to your computer that can be used for debugging purposes.

    If you no longer need to force a Blue Screen of Death, you can use the same steps mentioned above to revert the changes, but on step No. 3 and step No. 8, right-click and delete the CrashOnCtrlScroll DWORD.

     


    How to troubleshoot Blue Screen issues (link to article)

     

    Click link above for more information about troubleshooting Blue Screens

     


    About Verifier.exe (use this to force intermittent blue screens to happen more quickly for troubleshooting purposes)

     

    In the case of a driver fault causing a blue screen, Verifier.exe can be called.

     

    Driver Verifier is a tool included in Windows that replaces the default operating system subroutines with ones that are specifically developed to catch device driver bugs.  Once enabled, it monitors and stresses drivers to detect illegal function calls or actions that may be causing system corruption. It acts within the kernel mode and can target specific device drivers for continual checking or make driver verifier functionality multi-threaded so that several device drivers can be stressed at the same time. It can simulate certain conditions such as low memory, I/O verification, pool tracking, IRQL checking, deadlock detection, DMA checks, IIRLogging, etc. The verifier works by forcing drivers to work with minimal resources, making potential errors that might happen only rarely in a working system manifest immediately. Typically fatal system errors are generated by the stressed drivers in the test environment, producing core dumps that can be analyzed and debugged immediately.

     

    In most cases for the purpose of troubleshooting we will use Verifier.exe to help troubleshoot blue screens caused by errant drivers.

     

    The following steps should be taken:

     

    1. From an Administrator command prompt run "Verifier.exe".   (You can easily run an Admin command prompt by typing "CMD" and then pressing Ctrl-Shift-Enter)
    2. Select "Create standard settings"
    3. Click Next.
    4. Select "Automatically select all drivers installed on this computer"
    5. If a blue screen occurs if you can log into Windows on the next boot, go to a command prompt and type "Verifier /reset" to stop Driver Verifier.

     

    The computer will then need to be rebooted in order for Verifier to start running.

     

    Verifier.exe can cause blue screens to happen quite quickly, and therefore it may be difficult to boot into the operating system after turning Verifier.exe on.

     

    Start Safe Mode from the login screen

     

    If you can boot to the login screen, you can enter Safe Mode from the login screen.

     

    1. On your keyboard, hold down the Shift key.
    2. While holding down the Shift key, on the login screen, at the bottom right of the corner, click the power button then select Restart. Then Windows will bring up the Windows RE (Recovery environment) screen.
    3. Click "Troubleshoot"
    4. Select "Advanced Options"
    5. Select "Startup Settings"
    6. Click "Restart"
    7. Press "4" to enter Safe Mode without network access, press "5" to enter Safe Mode with network access.

     

    After booting into safe mode you can go to a command prompt and type "Verifier /reset" to stop Verifier.exe.

     

    Once the blue screen has occurred it should have saved MEMORY.DMP in the C:\Windows folder by default.  Collect this .DMP file and provide it to the Ivanti Technician.