Dumps

How to setup dumps on Windows

There are a lot of cases when the dump is the best way (and sometimes the only way) to understand the root cause of the problem in a software.

This article contains different ways to collect dumps.

Create a dump of running process

This can help when we have hanging process and we do not have ability to debug the process.

  1. Open “Task manager”
  2. Right-click on the process you want to dump
  3. Press “Create dump file”
  4. Path to the dump location (typically at folder ‘Temp’) will be observed at the pop-up window

Setup automatic user-mode dumps for crashed apps

Sometimes we need to run long term testing and while this testing app can be crashed.
Microsoft provides a way to catch such crashed and collect dumps for crashed process:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /f /v DumpFolder /t REG_EXPAND_SZ /d "c:\some_folder"
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /f /v DumpCount /t REG_DWORD /d 10
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /f /v DumpType /t REG_DWORD /d 2

Create dump from process itself

In some cases we need to catch all unhandled exceptions and create process dump for future analysis. It can be helpful when you provide your application to clients.

Example: the process crash rarely occur on some specific user environment. If your app collect dumps by itself you will need to ask an end user only to provide this dump. Such dumps can contain very interesting bugs which will never reproduced on you automated testing.

Few tips for this case:

  1. Better to create dump from external process (ex. run same binary but with special flag for dump). It is harder to analyze the stacks When process dump itself.
  2. Exception filter do not process vectored exceptions. Vectored exceptions have to be handled separately
  3. Better to collect as much info to dump as possible. MiniDumpWithFullMemory | MiniDumpIgnoreInaccessibleMemory is good combination of possible variants. If you need small size of dump MiniDumpNormal is the optimal choice.
// use ::MiniDumpWriteDump inside exception filter to create dump
// save old filer
OldFilter = ::SetUnhandledExceptionFilter(CustomUnhandledExceptionFilter);

// add vectored exception
HandleVectoredException = ::AddVectoredExceptionHandler(1, VectoredExceptionProcessing);

// restore old filter after remove
::SetUnhandledExceptionFilter(OldFilter);
::RemoveVectoredExceptionHandler(HandleVectoredException);

Setup full kernel dumps

Sometimes while driver development we need to analyze both kernel-mode and user-mode dumps. By default, Windows collect dumps while BSOD to the location: C:\Windows\memory.dmp
But such dumps in not full and in some cases they do not contain enough info for analysis.

In such cases we can setup complete memory dump.
Reboot is required to apply changes.

Trigger system crash

NotMyFault.exe can be used to trigger system crashes if required. NotMyFault can be run from GUI. For most cases it does not matter which option to use for crash:

notmyfaultc.exe crash 0x02 -accepteula