How to use Windbg.exe to collect a memory dump
search cancel

How to use Windbg.exe to collect a memory dump

book

Article ID: 290485

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection) Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Managed Detection (formerly Cb Threatsight) Carbon Black EDR (formerly Cb Response)

Issue/Introduction

This article provides step by step instructions on how to collect a memory dump when application crashes for all other reasons besides an access violation. 

Environment

  • Microsoft Windows: All Supported Versions

Resolution

  1. Download Windbg at https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
  2. Install windbg to the default location. (Ex: C:\Program Files (x86)\Windows Kits\10\). When selecting features during install only "Debugging Tools for Windows" is required
  3. Launch gflags.exe (Ex: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\gflags.exe)
  4. Select the Image File (tab)
  5. Enter the application name under the Image field (Ex: winword.exe)
  6. Select the debugger check box and enter the full pack of windbg (ex: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe) 
    User-added image
  7. This should allow Windbg to attach to the specific process, launch windbg automatically when the application crashes, capture the exception, then break. At this point enter the following command to create the dump file
  8. .dump /ma <folder location of the dump file> (ex: .dump /ma C:/dumpfile) 
    User-added image


 

Additional Information

  • Typically memory dumps for application crashes can be collected using Windows procdump, but procdump only collects a dump automatically when the application crashes due to an access violation.