ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.
usage: procdump [-a] [[-c|-cl CPU usage] [-u] [-s seconds]] [-n exceeds] [-e [1 [-b]] [-f <filter,...>] [-g] [-h] [-l] [-m|-ml commit usage] [-ma | -mp] [-o] [-p|-pl counter threshold] [-r] [-t] [-d <callback DLL>] [-64] <[-w] <process name or service name or PID> [dump file] | -i <dump file> | -u | -x <dump file> <image file> [arguments] >] [-? [ -e]
|-a||Avoid outage. Requires -r. If the trigger will cause the target to suspend for a prolonged time due to an exceeded concurrent dump limit, the trigger will be skipped.|
|-b||Treat debug breakpoints as exceptions (otherwise ignore them).|
|-c||CPU threshold at which to create a dump of the process.|
|-cl||CPU threshold below which to create a dump of the process.|
|-d||Invoke the minidump callback routine named MiniDumpCallbackRoutine of the specified DLL.|
|-e||Write a dump when the process encounters an unhandled exception. Include the 1 to create dump on first chance exceptions.|
|-f||Filter the first chance exceptions. Wildcards (*) are supported. To just display the names without dumping, use a blank ("") filter.|
|-g||Run as a native debugger in a managed process (no interop).|
|-h||Write dump if process has a hung window (does not respond to window messages for at least 5 seconds).|
|-i||Install ProcDump as the AeDebug postmortem debugger. Only -ma, -mp, -d and -r are supported as additional options.|
|-l||Display the debug logging of the process.|
|-m||Memory commit threshold in MB at which to create a dump.|
|-ma||Write a dump file with all process memory. The default dump format only includes thread and handle information.|
|-ml||Trigger when memory commit drops below specified MB value.|
|-mp||Write a dump file with thread and handle information, and all read/write process memory. To minimize dump size, memory areas larger than 512MB are searched for, and if found, the largest area is excluded. A memory area is the collection of same sized memory allocation areas. The removal of this (cache) memory reduces Exchange and SQL Server dumps by over 90%.|
|-n||Number of dumps to write before exiting.|
|-o||Overwrite an existing dump file.|
|-p||Trigger on the specified performance counter when the threshold is exceeded. Note: to specify a process counter when there are multiple instances of the process running, use the process ID with the following syntax: "\Process(<name>_<pid>)\counter"|
|-pl||Trigger when performance counter falls below the specified value.|
Dump using a clone. Concurrent limit is optional (default 1, max 5).
CAUTION: a high concurrency value may impact system performance.
- Windows 7 : Uses Reflection. OS doesn't support -e.
- Windows 8.0 : Uses Reflection. OS doesn't support -e.
- Windows 8.1+: Uses PSS. All trigger types are supported.
|-s||Consecutive seconds before dump is written (default is 10).|
|-t||Write a dump when the process terminates.|
|-u||Treat CPU usage relative to a single core (used with -c).|
As the only option, Uninstalls ProcDump as the postmortem debugger.
|-w||Wait for the specified process to launch if it's not running.|
|-x||Launch the specified image with optional arguments. If it is a Store Application or Package, ProcDump will start on the next activation (only).|
|-64||By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem debugging.|
|-?||Use -? -e to see example command lines.|
If you omit the dump file name, it defaults to <processname>_<datetime>.dmp.
Use the -accepteula command line option to automatically accept the Sysinternals license agreement.
Write a mini dump of a process named 'notepad' (only one match can exist):
Write a full dump of a process with PID '4572':
C:\>procdump -ma 4572
Write 3 mini dumps 5 seconds apart of a process named 'notepad':
C:\>procdump -s 5 -n 3 notepad
Write up to 3 mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:
C:\>procdump -c 20 -s 5 -n 3 consume
Write a mini dump for a process named 'hang.exe' when one of it's Windows is unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe hungwindow.dmp
Write a mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10 seconds:
C:\>procdump outlook -p "\Processor(_Total)\% Processor Time" 20
Write a full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:
C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000
Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:
C:\>procdump -mp -e store.exe
Display without writing a dump, the exception codes/names of w3wp.exe:
C:\>procdump -e 1 -f "" w3wp.exe
Write a mini dump of w3wp.exe if an exception's code/name contains 'NotFound':
C:\>procdump -e 1 -f NotFound w3wp.exe
Launch a process and then monitor it for exceptions:
C:\>procdump -e 1 -f "" -x c:\dumps consume.exe
Register for launch, and attempt to activate, a modern 'application'. A new ProcDump instance will start when it activated to monitor for exceptions:
C:\>procdump -e 1 -f ""
-x c:\dumps Microsoft.BingMaps_8wekyb3d8bbwe!AppexMaps
Register for launch of a modern 'package'. A new ProcDump instance will start when it is (manually) activated to monitor for exceptions:
C:\>procdump -e 1 -f ""
-x c:\dumps Microsoft.BingMaps_188.8.131.52_x64__8wekyb3d8bbwe
Register as the Just-in-Time (AeDebug) debugger. Makes full dumps in c:\dumps.
C:\>procdump -ma -i c:\dumps
See a list of example command lines (the examples are listed above):
C:\>procdump -? -e