Introduction
When we're asked to collect memory dump files, the first thing we remember is Windows Task Manager (WTM later). This is right and I would like to describe facilities of this tool in more detail.
WTM allows to collect only full memory dump files, which are sufficient for further investigation almost all the times. This tool doesn't require any additional preconfigurations.
1. Gathering memory dump files on demand
In order to gather memory dump file first of all we should identify the process (e.g. PID). This part was highlighted in this article.
If you gather x86 process on x64 environment, refer to the section 2 of this post before performing further steps.
After we know the Process ID, we should navigate to the process (screenshot for Windows 8) in list:
After this just open the context menu for process and choose an appropriate option:
When the memory dump is gathered WTM displays message box with path to file. We can move file to another drive and start to analyze it:
The way is pretty straightforward, isn't it?
2. Gathering memory dump files for x86 bit process on x64 environment (WOW64)
Refer to this article to get details why we should act in another way in case of WOW64 processes.
The default WTM version (x64) doesn't support proper gathering of memory dump files for WOW64 processes. We should use x86 version of WTM instead. It's located here:
%WINDIR%\SysWOW64\Taskmgr.exe
It doesn't visually differ from x64 version, so double sure that this version is actually run. After you open it, gather memory dump file as described in section 1.
Pay attention that x64 version of WTM will never warn you if you process WOW64 processes. Moreover, it will successfully generate memory dump and you will not even suspect anything. The difficulties will happen when you start to analyze the produced file.
3. Conditional memory dump files gathering
WTM doesn't support this functionality.
No comments:
Post a Comment