Download Procdump
José Cerqueira
Can somebody clarify if memory dumps produced by WER are the same as those produced by procdump.exe? Can two these tools conflict when used simultaneously? What would be the right approach if my goal is to troubleshoot "service terminated unexpectedly" type of event for a service (on a Server 2012 R2 platform)?
procdump.exe, on the other hand, is a Sysinternals tool (Mark Russinovich, Andrew Richards, et al,) that is designed to be a lot more flexible than WER. If WER was a butter knife, then procdump is a Swiss army knife. For example, procdump.exe can be configured to automatically capture a dump (or series of dumps) when a process stays > 90% CPU usage for 10 seconds, or > 500MB of memory usage, etc. etc. procdump can also be set up as your permanent AeDebug postmortem debugger, which basically makes it a replacement for WER at that point.
WER works well enough, (especially when configured to capture full process dumps,) and both WER and procdump capture the same kind of dump, but you only need one or the other. There's not really any sense in trying to use them both.
This will catch a crashing Windows service as well, unless the developer of the service specifically wrote the service to do its own exception handling and avoid being caught by debuggers, which is pretty rare. (And even then, procdump can be configured to dump on first-chance exceptions too.)
PS: You might see the "service terminated unexpectedly" message if the service actually crashed, but you might also see the same message if the service just felt like it needed to exit without cooperating with the Service Manager like it's supposed to. In that case, the developer of the service was just a bad developer, and since there was no actual crash, neither WER nor procdump will help you.
I had an issue with a vendor product, then I had to run procdump to be able to narrow down the possible cause for this issue, now I need to disable it, is there any way to disable it without taking risks because it is on a critical server
ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
Introducing ProcDump
ProcDump (procdump.exe) is a new Windows Sysinternals tool from Mark Russinovich, which you can download at technet.microsoft.com/en-us/sysinternals/dd996900.aspx. Procdump.exe was created after one of the escalation engineers in my group asked Mark if he would consider adding functionality to Process Explorer to allow for capturing a dump file of a process to help troubleshoot those pesky high-CPU problems. After some thought, it was determined that the best approach was to write a new tool, and ProcDump was born.
So, for example, you notice the wmiprvse.exe (the WMI Provider Host process) spikes the CPU to 90 percent at random times throughout the day, and you'd like to capture a few dumps for analysis. The following command will dump out the spooler process three times when the CPU for wmiprvse.exe is at or exceeds 90 percent for 3 seconds and store the dumps in the c:\procdumps directory that you've already created:
So, for the previous command line, the WMI Provider Host service will be dumped out each time the process exceeds 80 percent CPU for three seconds or more and store the dump files in the c:\procdumps directory. The name of the dump file will be in the format PROCESSNAME_DATE_TIME.dmp; the included timestamp makes it easy to identify files captured over a period of several days. The other great feature of ProcDump is that the thread that consumed the highest amount of CPU is baked into the dump file, so that when the dump file is opened in the debugger, you get a message indicating which thread consumed the CPU, as Figure 1 shows.
Detects usage of the SysInternals Procdump utility. This approach can be used to dump the lsass.exe process, which contains the credentials, and then give this dump to mimikatz to extract Windows plaintexts passwords, hashes, PIN code and kerberos tickets from memory. This rule is adapted from _creation/proc_creation_win_sysinternals_procdump.yml
As Procdump is a legitimate Microsoft tool, it's not detected by AntiVirus. The goal is to dump the lsass.exe process, which contains the credentials, and then give this dump to mimikatz.
You need Admin rights to use it. Dump the lsass process which contains credentials:
Local Usage:C:\procdump.exe -accepteula -ma lsass.exe lsass.dmpRemote Usage: (if you do not want to / cannot put the sysinternals tools on disk)net use Z: :\procdump.exe -accepteula -ma lsass.exe lsass.dmp
This will get a 32-bit dump by default, but you can also specify a 64 bit process dump with procdump. WinDbg Once you're in WinDbg (Windows Debug), you need to firstly open the .DMP file by choosing "Open crash dump" in the file menu.
For creating Dump for .NET Application (UiPath Studio, UiPath Robot Executor) -ma option needs to be enabled since a full dump is necessary.
Regards to capturing a crash dump, -e option needs to be enabled to capture the moment of crash.
A default procdump command would be "procdump -e -ma "
It is important to use the same bitness collector as the target application. UiPath Executor is currently 32 bit, thus 32 bit ProcDump should be used to collect memory dump.
I have always been a fan of Sysinternal and I am very happy that procdump works wonderfully with Windows 8 Store Apps. If you have any questions then feel free to leave them below otherwise see you in the next post! Updated: October 15, 2012
df19127ead