1. Noam ShefferSenior Architect and Bugs Hunterhttp://blogs.microsoft.co.il/blogs/noams@NoamSheffer

2. The First Computer Bug 3. When ever we have a live system that we : Have a limited access to the system Dont want or cant install Visual Studio on it Cant Stop the service and attach a debugger to it Log files are inefficient or non exists (90% of the cases) Still Need to Fix the problem 4. A dump file is a snapshot of a running process Kernel dumps are snapshots of the entire system, butwe will not discuss them here Dump files are useful for post-mortemdiagnostics and for production debugging A dump can contain lots of information, A fullprocess dump takes at least as much as theprocess virtual size. Its possible to take a smaller dump, e.g. onlythread stacks and loaded modules 5. Dump files are a static snapshot You cant debug a dump, just analyze it Sometimes a repro is required (or more thanone repro) Sometimes several dumps must be compared 6. On Vista and higher: Task Manager, right-clickand choose Create Dump File 7. Before Vista, use ntsd.exe ntsd -pn app.exe -c ".dump /ma /u C:app.dmp; qd" 8. Use ADPlus from Debugging Tools forWindows Can do crash / hang dumps Example command lines:adplus -crash -o C:dumps -scC:myappmyapp.exeadplus -hang -o C:dumps -p 1234 Can be configured further: Dump on a specific exception Perform additional debugger actions see documentation (Debugging Tools forWindows) 9. Sysinternals utility for creating crash / hangdumps Can use process reflection (Windows 7) tominimize process suspension time Examples:Procdump -h app.exe hang.dmpProcdump -e app.exe crash.dmpProcdump -c 90 app.exe excessive_cpu.dmp 10. Visual Studio can open dump files But its not the perfect analysis tool Visual Studio 2008 can handle native dumpsvery well Cant handle managed dumps AT ALL Visual Studio 2010 can handle both native andmanaged dumps For managed dumps, CLR 4.0 is required 11. WinDbg is usually much better at dumpanalysis Not that good for managed source code reading, buteverything else is much easier Try !analyze -v for native dumps Try opening a kernel (system) dump 12. Links http://blogs.microsoft.co.il/blogs/noams http://blogs.microsoft.co.il/blogs/sasha(all your base are belong to us) http://blogs.msdn.com/b/ntdebugging/(ntdebugging) http://blogs.technet.com/markrussinovich/(Marks blog)