V
Viorel-Alexandru
Guest
The following two procedures guide on how to properly collect a memory dump to study a process crash. This post complements my article about how exceptions are handled and how to collect memory dumps to study them.
Both tools below - ProcDump and DebugDiag - work similarly: they can attach themselves as debuggers to a process, then monitor and log exceptions for that process. Optionally, these tools can collect a memory dump for the monitored process under certain conditions - such as when specific exceptions occur.
Both tools need administrative rights to be run.
DebugDiag is the preferred tool, since it automates some steps, adds more explicit context, and includes automated memory dump analysis capabilities too.
Using the command-line ProcDump
ProcDump does not require installation. But one needs to be specific about the PID to which it is attaching. That PID needs to be determined prior to starting ProcDump. This may be tricky when the respective process is crashing and restarting frequently, with a different PID; such as when Asp.Net apps are causing their w3wp.exe to crash and restart. If the w3wp.exe is crashing very fast, then it is advisable to use the DebugDiag method.
Using the UI tool DebugDiag, Debug Diagnostics Collection
DebugDiag requires installation, but it is able to determine itself the whatever process instance - PID - happens to execute for an application pool at some point in time; even when that process may occasionally crash, hence restart with different PID.
1.
Download Debug Diagnostic and install it on IIS machine:
Download Debug Diagnostic Tool v2 Update 2 from Official Microsoft Download Center v2.2 (if 32-bit system)
Download Debug Diagnostic Tool v2 Update 3.1 from Official Microsoft Download Center v2.3.1 (only supports 64-bit)
2.
Open Debug Diagnostic Collection.
If a wizard does not show up, click Add Rule.
3.
Choose Crash and click Next.
4.
Choose “A specific IIS web application pool” and Next.
5.
Select the application pool which runs the problematic application and then click Next.
6.
Lower the Maximum number of userdumps created by the rule to 3 (up to 5; there is no need to collect more).
Then click on Exceptions under Advanced Settings, to add the one(s) we are interested in for analyzing.
7.
A list of common native exceptions is presented; all managed (C#/.NET exceptions) would be under the CLR Exception umbrella.
Select the native exception that affects our app/process or simply type its hex code: C0000005 Access Violation.
Notice that the exception code does not include the hexadecimal prefix "0x".
Or
Select CLR (.NET) Exception and type its fully qualified name (Exception Type Equals…).
Make sure you're not including any prepended or trailing space characters. Case is sensitive!
We need full memory dumps, so select the according value in Action Type.
It is always better if we get more than one memory dump, so you may increase the Action Limit field value.
8.
Confirm that our exception of interest is added, then click Save & Close:
9.
Click Next…
10.
Configure the file location where the dump file(s) will be generated/written.
Please note that a dump file is a snapshot of the process memory, written in disk; size will be similar to process memory as seen in the Task Manager. For example, if you see that w3wp.exe uses around 5 GB of memory in Task Manager, then the dump of that process will be around 5 GB on the disk; if you multiply by number of dumps, then... choose a disk with enough free space.
Please do not choose a disk in network/UNC; choose a local disk.
11.
Click Next and Finish by selecting to Activate the rule now.
12.
When the configured exception occurs, a dump file (or files) should be created in the user-dump location selected above.
Please archive in a ZIP and prepare to hand over to the support engineer; upload in a secure file transfer space.
If we don't get dumps, then we probably don't have the configured first-chance memory occurring. Remember my article about how exceptions are handled and how to collect memory dumps to study them.
Continue reading...
Both tools below - ProcDump and DebugDiag - work similarly: they can attach themselves as debuggers to a process, then monitor and log exceptions for that process. Optionally, these tools can collect a memory dump for the monitored process under certain conditions - such as when specific exceptions occur.
Both tools need administrative rights to be run.
DebugDiag is the preferred tool, since it automates some steps, adds more explicit context, and includes automated memory dump analysis capabilities too.
Using the command-line ProcDump
ProcDump does not require installation. But one needs to be specific about the PID to which it is attaching. That PID needs to be determined prior to starting ProcDump. This may be tricky when the respective process is crashing and restarting frequently, with a different PID; such as when Asp.Net apps are causing their w3wp.exe to crash and restart. If the w3wp.exe is crashing very fast, then it is advisable to use the DebugDiag method.
- Download the tool and copy it on a disk folder, for example D:\Temp-Dumps\
ProcDump - Windows Sysinternals
- Open an administrative console from where to run commands.
Navigate to the disk folder above (D:\Temp-Dumps\).
- Find the process ID, the PID, of the IIS w3wp.exe worker process executing your application.
Use the AppCmd IIS tool to list processes for application pools:
C:\Windows\System32\InetSrv\appcmd.exe list wp - Execute the following command to collect dump(s):
D:\Temp-Dumps> procdump.exe -accepteula -ma -e 1 -f "ExceptionNameOrCodeOrMessageExcerpt" [PID]
You may want to redirect the console output of ProcDump to a file, to persist the recording of the encountered exceptions:
D:\Temp-Dumps> procdump.exe -accepteula -ma -e 1 -f "ExceptionNameOrCodeOrMessageExcerpt" [PID] > Monitoring-log.txt
Replace [PID] with the actual Process ID integer number identified at the step 2.
Please make sure that there is enough disk space on the drive where dumps are collected. Each process dump will take space in the disk approximately the same size the process uses in memory, as seen in Task Manager. For example, if the process’ memory usage is ~1 GB, then the size of a dump file will be around 1 GB.
- Start reproducing the problem: issue a request from the client (browser) that you know it would trigger the exception.
Or simply wait or make requests to the IIS/Asp.Net app until the exception occurs.
You should end up with a memory dump file (.DMP) in the location where ProcDump.exe was saved (example: D:\Temp-Dumps\).
- Compress the dump file(s) - .DMP - before uploading the dumps to share for analysis.
Using the UI tool DebugDiag, Debug Diagnostics Collection
DebugDiag requires installation, but it is able to determine itself the whatever process instance - PID - happens to execute for an application pool at some point in time; even when that process may occasionally crash, hence restart with different PID.
1.
Download Debug Diagnostic and install it on IIS machine:
Download Debug Diagnostic Tool v2 Update 2 from Official Microsoft Download Center v2.2 (if 32-bit system)
Download Debug Diagnostic Tool v2 Update 3.1 from Official Microsoft Download Center v2.3.1 (only supports 64-bit)
2.
Open Debug Diagnostic Collection.
If a wizard does not show up, click Add Rule.
3.
Choose Crash and click Next.
4.
Choose “A specific IIS web application pool” and Next.
5.
Select the application pool which runs the problematic application and then click Next.
6.
Lower the Maximum number of userdumps created by the rule to 3 (up to 5; there is no need to collect more).
Then click on Exceptions under Advanced Settings, to add the one(s) we are interested in for analyzing.
7.
A list of common native exceptions is presented; all managed (C#/.NET exceptions) would be under the CLR Exception umbrella.
Select the native exception that affects our app/process or simply type its hex code: C0000005 Access Violation.
Notice that the exception code does not include the hexadecimal prefix "0x".
Or
Select CLR (.NET) Exception and type its fully qualified name (Exception Type Equals…).
Make sure you're not including any prepended or trailing space characters. Case is sensitive!
We need full memory dumps, so select the according value in Action Type.
It is always better if we get more than one memory dump, so you may increase the Action Limit field value.
8.
Confirm that our exception of interest is added, then click Save & Close:
9.
Click Next…
10.
Configure the file location where the dump file(s) will be generated/written.
Please note that a dump file is a snapshot of the process memory, written in disk; size will be similar to process memory as seen in the Task Manager. For example, if you see that w3wp.exe uses around 5 GB of memory in Task Manager, then the dump of that process will be around 5 GB on the disk; if you multiply by number of dumps, then... choose a disk with enough free space.
Please do not choose a disk in network/UNC; choose a local disk.
11.
Click Next and Finish by selecting to Activate the rule now.
12.
When the configured exception occurs, a dump file (or files) should be created in the user-dump location selected above.
Please archive in a ZIP and prepare to hand over to the support engineer; upload in a secure file transfer space.
If we don't get dumps, then we probably don't have the configured first-chance memory occurring. Remember my article about how exceptions are handled and how to collect memory dumps to study them.
Continue reading...