Carbon Black App Control (formerly Cb Protection)Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Managed Detection (formerly Cb Threatsight)Carbon Black EDR (formerly Cb Response)
Issue/Introduction
This article provides step by step instructions on how to collect a memory dump when application crashes for all other reasons besides an access violation.
Environment
Microsoft Windows: All Supported Versions
Resolution
Download Windbg at https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
Install windbg to the default location. (Ex: C:\Program Files (x86)\Windows Kits\10\). When selecting features during install only "Debugging Tools for Windows" is required
Enter the application name under the Image field (Ex: winword.exe)
Select the debugger check box and enter the full pack of windbg (ex: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe)
This should allow Windbg to attach to the specific process, launch windbg automatically when the application crashes, capture the exception, then break. At this point enter the following command to create the dump file
.dump /ma <folder location of the dump file> (ex: .dump /ma C:/dumpfile)
Additional Information
Typically memory dumps for application crashes can be collected using Windows procdump, but procdump only collects a dump automatically when the application crashes due to an access violation.