Today's article is about getting application crash dumps from WinPE. I wrote this because after spending a couple of days looking into various methods to obtain crash dumps, I found it fascinating at how hard this was to do in an automated way.
It was so hard I'd actually all but given up. However, in an inspired last-ditch effort, I contacted the Microsoft Debugger Team. To my pleasant surprise, they responded and showed me the way with cdb.exe. Today's article documents how I set this up and tested it with my own sure-fire home-crafted 'crash now' application crashme.exe executable.
Windows Error Reporting For Crash Dumps
Windows Error Reporting has been now for many years Microsoft's chosen way of collecting application crash dumps. It would therefore be remiss of me to not at least mention it (even though it doesn't work with WinPE).
With the release of Windows Vista and Server 2008 (and beyond), Microsoft made collecting crash dumps quite easy with Windows Error Reporting (WER). It is included as standard and can be enabled just by creating the following regkey,
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
Once this key exists, Windows Error Reporting will use some sensible crash dump defaults and is immediately enabled. Dumps by default will be created in the %APPDATA% folder for the any crashing user process.
Once this key exists then, if an application crashes under say my user account ian, a dump will be automatically be created under,
C:\Users\ian\AppData\Local\CrashDumps\
However, if the process is running under the SYSTEM account , you'll find the dumps in the following location,
C:\ProgramData\Microsoft\Windows\WER
For further fine tuning, you can add the following registry values to the LocalDumps registry key (taken from Microsoft article on collecting user-mode dumps),
| Value |
Description |
Type |
Default Value |
| DumpFolder |
The path where the dump files are to be stored. If you do not use the default path, then make sure that the folder contains ACLs that allow the crashing process to write data to the folder.
For service crashes, the dump is written to service specific profile folders depending on the service account used. For example, the profile folder for System services is %WINDIR%\System32\Config\SystemProfile. For Network and Local Services, the folder is %WINDIR%\ServiceProfiles. |
REG_EXPAND_SZ |
%LOCALAPPDATA% |
| DumpCount |
The maximum number of dump files in the folder. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file. |
REG_DWORD |
10 |
| DumpType |
Specify one of the following dump types:
0: Custom dump
1: Mini dump
2: Full dump |
REG_DWORD |
1 |
| CustomDumpFlags |
The custom dump options to be used. This value is used only when DumpType is set to 0.
The options are a bitwise combination of the MINIDUMP_TYPE enumeration values. |
REG_DWORD |
MiniDumpWithDataSegs | MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData. |
And this is excellent. But, sadly WER is not available within WinPE so we must look to other methods.
Collecting Crash Dump Manually in WinPE
The most straightforward way to collect crash dumps in WinPE is to use the Windows TaskManager. When a process crashes in WinPE and forces and application error dialog to appear, just find the process in TaskManager, right-click it and select "Create Dump File" from the context menu.
.
Below is a screenshot me creating a dump for my application, crashme.exe which forces a memory access violation.
Once you select the option to create the dump file you'll just have to wait a few moments whilst it writes the file to the Windows Temp folder %WINDIR%\Temp.
This method is fine if it's a manual process you are looking for, but what about creating dumps automatically once the exception is raised? Well this turns out to be rather tricky...
CrashDump Creation Techniques that Don't work in WinPE
I'm just going to list these,
- Windows Error Reporting (WER)
The components for this just don't exist in WinPE, and a loadable package to add this back in doesn't exist.
- DebugDiag from Microsoft
Couldn't get this to work, and to be fair WinPE isn't a supported platform.
- ProcDump from Microsoft
Had high hopes, but also couldn't get this to work. Executables just return nothing. Nothing. At. All.
- Mad Murmuring Whilst Holding Head in Hands
This has in a past been a proven technique to get someone else in the office to solve the problem for me. I also tried 'Loud Sighing' and 'Frustrated Keyboard Bashing'. All to no avail.
A CrashDump Creation Technique that DOES work in WinPE
An email to Microsoft got a very rapid response from a helpful fellow called Doug. He said,
If I am not mistaken, Win PE 5.1 is aligned with the Windows 8.1 OS?
If so, have you tried installing the Debugging Tools for Windows from the Windows 8.1 SDK and then doing a flat file copy of the \Debuggers directory across to the WinPE image?
There are several debuggers in the debugging tools. The one with the most minimal dependencies is probably the command line shell CDB.EXE. You could either use CDB to attach to the running process before it faults or (slightly more complicated) configure it as the JIT debugger with the –iae command line switch.
And this indeed does works. I downloaded the Windows 8.1 SDK and located with it the cdb.exe executable. I then copied this to my server which has a fileshare accessible from my WinPE booted clients (mapped to the M:\ Drive).
In the startup scripts for my WinPE environment all I had to do was add these few lines to get cdb.exe up and running,
REM Set the debugger to cdb.exe and get it to create dumps on the M: Network Drive
REM In the following reg add command we'll want to escape some double quotes a percent symbol.
REM To achieve this use a preceding back slash and a percent character respectively.
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Debugger /t REG_SZ /d "\"M:\Debug\cdb.exe\" -pv -p %%ld -c \".dump /u /ma M:\Debug\mydump.dmp;.kill;qd\"" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /t REG_SZ /d "1" /f
The reg add command directs windows to execute a debugger of our choice, with the commandline options of our choice. The command that's being run is,
M:\Debug\cdb.exe -pv -p %%ld -c ".dump /u /ma M:\Debug\mydump.dmp;.kill;qd"
Which breaks down as,
- M:\Debug\cdb.exe
Full path to the debugger. In this case, I've placed the files on my network drive
- -pv
Specifies that the debugger should attach to the process non-invasively
- -p %ld
Specifies the PID to attach to (stored in %ld)
- “.dump /u /ma M:\Debug\mydump.dmp”
Takes a full memory dump with a unique name (appends the date, time and process ID) and stores it in the path defined.
- “.kill”
Kills the target process (you’ve gotten the data you need).
- “qd”
Quits the debugger.
And that's it. Now whenever I get a crash, it's saved instantly to my network share (M:\) in the Debug folder. A datestamp is added too, so the crash dump actually has a file name like this,
mydump_1fb8_2015-09-25_11-55-44-704_0644.dmp
And that's it -Job done. Hope this is of help for anyone else out there who is also attempting to get application debug dumps from their WinPE environments.
Kind Regards,
Ian./
Further Reading
Automatically Creating a Dump when a Process Crashes
http://blogs.msdn.com/b/dotnet/archive/2009/10/15/automatically-capturing-a-dump-when-a-process-crashes.aspx
CDB Command-Line Options
https://msdn.microsoft.com/en-us/library/windows/hardware/ff539058(v=vs.85).aspx
How to Use and Understand the Windows Console Debugger
http://www.codeproject.com/Articles/31997/How-to-Use-and-Understand-the-Windows-Console-Debu
Debugger Tutorial
http://www.codeproject.com/Articles/6469/Debug-Tutorial-Part-Beginning-Debugging-Using-CD