ProcDump (SysInternals)

Monitor an application for CPU spikes and/or generate a crash dump during a CPU spike.

      procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]]
         [-f filter,...] [-g] [-h] [-l] [-m|-ml commit_threshold_MB] [-ma | -mp] [-o]
            [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] [-64] 
               <[-w] process_name_or_service_name_or_PID [dump_file]
                | -i dump_file
                | -u
                | -x dump_file image_file [arguments] >]
                  [-accepteula] [-? [ -e]


   -a   Avoid outage. Requires -r. If the trigger will cause the target to suspend for a 
        prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.

   -b   Treat debug breakpoints as exceptions (otherwise ignore them).

   -c   CPU threshold at which to create a dump of the process.

   -cl  CPU threshold below which to create a dump of the process.

   -d   Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.

   -e   Write a dump when the process encounters an unhandled exception. Include the 1 to
        create dump on first chance exceptions.

   -f   Filter the first chance exceptions. Wildcards (*) are supported. To just display the
        names without dumping, use a blank ("") filter.

   -g   Run as a native debugger in a managed process (no interop).

   -h   Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).

   -i   Install ProcDump as the AeDebug postmortem debugger.
        Only -ma, -mp, -d and -r are supported as additional options.

   -l   Display the debug logging of the process.

   -m   Trigger a dump when memory commit reaches this threshold value (in MB).

   -ma  Write a dump file with all process memory. The default dump format only includes thread
        and handle information.

   -ml  Trigger when memory commit drops below specified threshold value (in MB).

   -mp  Write a dump file with thread and handle information, and all read/write process memory.
        To minimize dump size, memory areas larger than 512MB are searched for, and if found,
        the largest area is excluded. A memory area is the collection of same sized memory allocation
        areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.

   -n   Number of dumps to write before exiting.

   -o   Overwrite an existing dump file.

   -p   Trigger on the specified performance counter when the threshold is exceeded.
        Note: to specify a process counter when there are multiple instances of the process running,
        use the process ID with the following syntax: "\Process(name_pid)\counter"

   -pl  Trigger when performance counter falls below the specified value.

   -r   Dump using a clone. Concurrent limit is optional (default 1, max 5).
        CAUTION: a high concurrency value can impact system performance.
          Windows 7   : Uses Reflection. OS doesn't support -e.
          Windows 8.0 : Uses Reflection. OS doesn't support -e.
          Windows 8.1+: Uses PSS. All trigger types are supported.

   -s   Consecutive seconds before dump is written (default is 10).

   -t   Write a dump when the process terminates.

   -u   Treat CPU usage relative to a single core (used with -c).
        As the only option, Uninstalls ProcDump as the postmortem debugger.

   -w   Wait for the specified process to launch if it's not running.

   -x   Launch the specified image with optional arguments.
        If it is a Store Application or Package, ProcDump will start on the next activation (only).

   -64  By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows.
        This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.

   -accepteula Suppress the display of the license dialog.

   -?   Use -? -e to see example command lines.

If you omit the dump file name, it will default to processname_datetime.dmp


Write a mini dump of a process named 'notepad' (only one match can exist):

C:\> procdump notepad

Write a full dump of a process with PID '6464':

C:\> procdump -ma 6464

Write 3 mini dumps 5 seconds apart of a process named 'notepad':

C:\> procdump -s 5 -n 3 notepad

See a longer list of example command lines:

C:\> procdump -? -e

“History will be kind to me for I intend to write it” ~ Winston Churchill

Related commands

PsKill - Kill processes by name or process ID.
PsList - List detailed information about processes.
SYSMON - Monitor and log system activity to the Windows event log.

Copyright © 1999-2023
Some rights reserved