JSI Tip 0575 - DOTCRASH creates memory dump of hung or leaking process.

Jerold Schulman

June 22, 1998

3 Min Read
ITPro Today logo in a gray background | ITPro Today

"When an application runs on Windows NT you might experience problems, like a memory leak, or hanging at 0% (dead lock) or 100% (busy loop) CPU utilization.

If the computer is used in a production environment you usually do not have the time for debugging the process. In this situation, you can use DOTCRASH to create a user mode memory dump of the offending process and continue production much faster.

DOTCRASH uses Win32 API to create the memory dump. Here is how it works:

1. Get Debug privilege (if it doesnt work, were not an Admin-like user)
2. Resolve process name to process ID, if needed
3. Open the target process with Full Access
4. Change AeDebug and Dr. Watson configuration to write .dmp
5. Create thread in target process with starting address 0xDEAD. This requires privileges acquired in 1) and 3)
6. Return Debug privilege
7. Restore original AeDebug and Dr. Watson configuration

DOTCRASH will not check if the files required to run Dr. Watson are installed in the system. You can check this if you run DRWTSN32 from the Start/Run dialog. While Dr. Watson is working on the memory dump it will put up a dialog. Do not click the Close or Cancel button. Wait until the OK button is enabled and then press OK.

There is a known problem with Dr. Watson on the Alpha platform on Windows NT 4.0:
Q170057: Dr. Watson Dialog Box Stops Responding on DEC Alpha Platform

A fix for this problem is scheduled for Service Pack 4. The fixed file for the English version of Windows NT and Q170057 are included in the SOFTLIB file.

DOTCRASH requires PSAPI.DLL. The SOFTLIB file contains versions of this file for Windows NT 3.51 and 4.0, for the Intel and Alpha platform. If you happen to have a newer version on your system, skip this step.

The memory dump created by Dr. Watson can be loaded in WinDBG.

........................................................... SNIP ......................................................

Heres the command line help and errorlevel information for DOTCRASH:
DotCrash 1.0b by Herbert Mauerer
Contact [email protected] for suggestions and problem reports

usage:
dotcrash |
pid: process ID in decimal or hex (use 0x)
process EXE name: name of EXE file
       If multiple EXE files with the same name are found,
       errorlevel will be 1 and a list of process IDs will
       be printed to STDOUT.

Errorlevel values:
0 - Success, dumped a process.
1 - Multiple processes found for %s, use process ID.
2 - Process %s not found.
3 - Invalid or out-of-range process ID.
4 - Could not open process %s, error:
5 - Could not create thread to crash the process, error:
6 - Can't get Debug Privilege. Aren't you Administrator?
7 - Could not access registry to configure Dr. Watson. Tried to fix it...
8 - This application only runs on Windows NT 3.51 or later.
9 - Ain't no killing of Process IDs 0 and 2"

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like