tailieunhanh - Memory Dump Analysis Anthology- P22

Memory Dump Analysis Anthology- P22: This is a revised, edited, cross-referenced and thematically organized volume of selected blog posts about crash dump analysis and debugging written in 2006 - 2007 for software engineers developing and maintaining products on Windows platforms, technical support and escalation engineers dealing with complex software issues and general Windows users. | Dumping Processes Without Breaking Them 631 DUMPING PROCESSES WITHOUT BREAKING THEM We can do it on any Windows system after Windows 2000 without installing any additional tools like Userdump or WinDbg. And a process won t be interrupted while its memory dump is being saved and will continue to work. We can use the following command ntsd -pvr -p PID -c .dump ma u q PID is a decimal process ID we can get from Task Manager for example. Note on x64 system to dump a 32-bit process shown as 32 in Task Manager we need to use NTSD from Windows SysWOW64 folder page 633 . On Windows Vista NTSD is no longer included but it can be found in Debugging Tools for Windows package. Please purchase PDF Split-Merge on to remove this watermark 632 PART 11 The Origin of Crash Dumps ON X64 If we install the latest Microsoft user mode process dumper on x64 Windows we would see both x86 and x64 folders. One advice here do not dump 32-bit applications and services shown as 32 in Task Manager using from x64 folder use from x86 folder. 32-bit application runs in WOW64 emulation layer on x64 Windows and that emulation layer is itself native 64-bit process so x64 saves that emulation layer and not the original 32-bit application. If we open that dump file in WinDbg we would see WOW64 thread stacks and not thread stacks from our original 32-bit application. In summary on x64 Windows to save a memory dump file of a 64-bit application we can use x64 Windows System32 64-bit version of to save a memory dump file of a 32-bit application use x86 Windows SysWOW64 32-bit Please purchase PDF Split-Merge on to remove this watermark NTSD on x64 Windows 633 NTSD ON X64 WINDOWS If we need to attach NTSD to a process on x64 Windows and to save a memory dump file we should remember that there are two versions of NTSD x86 32-bit and x64. The former is