Process explorer has a pretty cool functionality about generating process dumps. It has two types of dumps:
full. Now the full dump generates a massive dmp file and encodes all the process memory, but often that is not really required (for various reasons), but more importantly the helpful information is about
To generate a dump file, then all you need is to:
- open process with appropriate access
- specify the minidump options
In all of this key thing is to specify the
dumpOpts correctly. One of the ways to ascertain the options is to look at what process explorer generated. For that open the dumpfile in windbg (
windbg -z memory.dmp) and execute command
.dumpdebug. It will produce following output (trimmed in this case).
The header just contains the flags as provided to
MiniDumpWriteDump, this does not necessarily means that requested data is written in the dump file.
Followed by various streams as captured in dump. The stream types are defined in DbgHelp.h/minidumpapiset.h
The size of streams seems like it is in bytes, 364 vs 18 threads.
The flags passed are
0x1105. Now if you have just open the process with
PROCESS_ALL_ACCESS (0x1FFFF), you will get the handle data in dumpfile. Once you have generated the dump file open in
windbg again and check with
!handle command. It should list handles from dump if it could capture else it will just provide you with some error message.
more on this in next post
Entire code is along these lines: