search cancel

Using Sysinternals ProcDump to obtain full memory crash dumps

book

Article ID: 201191

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Suite

Issue/Introduction

You observe process crashes; but, the dumps being generated by Windows Error Reporting are small as opposed to containing the full process memory.

Resolution

Generic Process

This section covers installing Sysinternals ProcDump as the just-in-time debugger, configured to collect a full memory dump.

  1. On the affected machine, download procdump.exe from Microsoft Sysinternals
  2. Create a dumps directory such as c:\dumps\
  3. Open an Administrator command prompt, change directory to where you downloaded procdump.exe and run the following command:
    procdump -i -ma c:\dumps
  4. Reproduce the crash with the affected process and gather any dumps for the affected process that gets created at c:\dumps
  5. Uninstall
    1. At an Administrator command prompt, uninstall procdump with the following command:
      procdump -u

DLP Agent

This section covers disabling the DLP agent's built-in crash dump handler, and installing Microsoft ProcDump as the just-in-time debugger, configured to collect a full memory dump.

In the Enforce Console

  1. Navigate to the appropriate agent configuration (covering the affected agent machine), go to Advanced Settings, and set CrashDump.ENABLE_CRASH_DUMP_COLLECTION.int = 0
    1. Save the Agent Configuration change.
    2. Be sure to Apply this updated configuration.
  2. On the affected machine, ensure that the agent's configuration (cg.ead) has been updated before continuing.
    1. If the agent is crashing before it can get an updated configuration, use vontu_sqlite to update cg.ead to disable crash dump collection (see the additional information section of this article for manual steps).
  3. On the affected machine, download procdump.exe from Microsoft Sysinternals
  4. Create a dumps directory such as c:\dumps\
  5. Open an Administrator command prompt, change the directory to where you downloaded procdump.exe and run the following command:
    procdump -i -ma c:\dumps
  6. Reproduce the agent crash and gather the dump that gets created at c:\dumps
  7. Uninstall
    1. At an Administrator command prompt, uninstall procdump with the following command:
      procdump -u
    2. Revert the agent crash dump handler setting in the Agent Configuration, CrashDump.ENABLE_CRASH_DUMP_COLLECTION.int = 1

Additional Information

Manually updating cg.ead to disable crash dump collection:

  1. Copy the agent tool vontu_sqlite.exe into the endpoint agent installation directory.
  2. Open an Administrator command prompt and change directory to the agent installation directory.
  3. Connect to the cg.ead database with the following command:
    vontu_sqlite3.exe -db=cg.ead -p=<password>
  4. Disable crash dump collection with the following command:
    update configuration set value = 0 where setting = 'ENABLE_CRASH_DUMP_COLLECTION';
    (when finished troubleshooting, re-enable the crash dump collection setting by repeating these steps, but change the highlighted value in the update statement at this step to a 1)
  5. Disconnect from the cg.ead database:
    .exit