How to gather a process dump using the ProcDump Tool
search cancel

How to gather a process dump using the ProcDump Tool

book

Article ID: 177875

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec support has requested a process dump for the specific process to determine the root cause of the issue. You wish to know on how to go about creating a process dump.

 

Environment

Microsoft Windows
Red Hat Enterprise Linux / CentOS 7
Ubuntu 14.04 LTS/16.04 LTS

Cause

Symantec process causing a high CPU usage, unhandled exception or application hang and you need to determine the cause.

Resolution

Microsoft Windows

  1. Download the ProcDump tool for Windows and save it to the root of the C: drive on the system in question.
  2. Run the commands from the command prompt.

The following syntax can be used while running the tool depending on what data is required in the process dump file:

procdump [-64] [-c CPU usage [-u] [-s seconds] [-n exceeds]] [-h] [-e] [-ma] [-r] [-o] [ [dump file]] | [-x][arguments]

Common Switches:

  • -ma -- Creates a dump of all process memory. This switch should always be used for support cases in order to ensure as much information as possible is collected.
  • -e -- Creates a dump when the target process encounters an unhandled exception. This is useful for most crashes.
  • -t -- Generates a dump when the process ends, even if no errors were encountered.
  • -w -- Instructs ProcDump to wait for a process with the specified name to launch. This is used when you want to start ProcDump before the process.
  • -i -- Install ProcDump as the post mortem debugger for Windows Processes. This will allow ProcDump to automatically be invoked on application errors.
  • -u -- When run with no other arguments, will uninstall ProcDump as the post mortem debugger.
  • -c -- Specify a CPU threshold at which to generated a dump. This is typically used when troubleshooting high CPU usage issues.
  • -m -- Specify a memory usage threshold (in MB) at which to generate a dump.  This is typically used when troubleshooting high memory usage issues or memory leaks.
  • -s -- Write a dump after specified number of seconds.  This is useful in conjunction with -c and -m.
  • -n -- Write n number of dumps.
  • -x [arguments] -- Have ProcDump execute the executable and writing the dump file to the specified arguments.
  • -64 -- Forces the creation of 64-bit dump. This switch should generally not be used on 32-bit processes.

 

Linux

  1. Download and install the ProcDump tool for Linux, per the instructions on GitHub, to the system in question.
  2. Run the commands from the command prompt with sudo.

The following syntax can be used while running the tool depending on what data is required in the process dump file:

sudo procdump [OPTIONS...] TARGET

Common Switches:

  • -C --CPU threshold at which to create a dump of the process from 0 to 100 * nCPU.
  • -c -- CPU threshold below which to create a dump of the process from 0 to 100 * nCPU.
  • -M -- Memory commit threshold in MB at which to create a dump.
  • -m -- Trigger when memory commit drops below specified MB value.
  • -n -- Number of dumps to write before exiting.
  • -s -- Consecutive seconds before dump is written (default is 10)

TARGET must be specified as -p pid, where pid is of the process in question.

 

Command Line Examples:

  1. Immediately generate a full memory process dump for CcSvcHst.exe: procdump -ma CcSvcHst.exe
  2. Generate a full memory process dump for the process with PID 4512 when it exists: procdump -ma -t 4512
  3. Attach to a process with the name httpd.exe when it launches. Then generate a full dump, if it encounters an unhandled exception: procdump -ma -e -w httpd.exe
  4. Have ProcDump run BadApp.exe and write a full dump to C:\Dumps if it encounters an unhandled exception: procdump -ma -e -x C:\Dumps C:\Program Files\BadApp\BadApp.exe
  5. Install ProcDump as the postmortem debugger, and instruct it to write full dumps to C:\Dumps: procdump -ma -i C:\Dumps
  6. Create up to 3 full dumps of the process with PID 3213, if that process consumes 75% or more total CPU for 10 seconds: procdump -ma -c 75 -s 10 -n 3 3213

 

References:

http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
https://github.com/Microsoft/ProcDump-for-Linux

 

Technical Information:

ProcDump is a command line tool from Microsoft that can be used to monitor an application for CPU spikes and creates a process dump when the spike occurs. It can also create a process dump in case of a process hang or unhandled exceptions.