Minidump Files

A new version of PGOffline (www.PGOffline.com) which is a offline reader
for Yahoo Egroups is being developed. So I am trying to help them with
debugging of the program. Instead sending in full dumps I would like to
send in mini dumps. I used Sysinternals Process Monitor program to get
the list. Since I am running their program I have no idea what will
throw a fault. It might help me if I could figure out where Werfault is
getting the information for the subdirectory it is saving the dump files
in. Unfortunately I can not figure it out. I have searched the
registry, every file on my computer, etc. to see if I could find a
string containing CrashDumps but so far no luck.

<Bill>

Paul wrote:
> Bill Bradshaw wrote:
>> The following is from Process Monitor. Anybody see anything that
>> holds a clue my issue?
>>
>> 9610 3:12:21.5141264 PM WerFault.exe 6008 Thread Exit SUCCESS Thread
>> ID: 4036, User Time: 0.0000000, Kernel Time: 0.0000000
> <<snipped>>
>> Create, Options: Synchronous IO Non-Alert, Non-Directory File,
>> Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult:
>> Created <Bill>
>
> What would help, is knowing how you got there. What did you
> use to trigger the analysis of WerFault ?
>
> For reference, I checked my WinXP system, and it has files
> such as "Mini020609-02.dmp". Using dumpchk on them, they
> appear to be system crashes caused by my old PCI sound card.
> So they look like a kernel event, rather than a problem with
> a program exiting.
>
> On the Windows 7 machine, I tried Task Manager, right clicked
> a program in the process list, then selected the option to
> create a dump. I tried that on a copy of notepad. The
> resulting "notepad.DMP" file was 47MB (hardly "mini")
> and when fed into dumpchk.exe, didn't look the same as
> my other mini*-.dmp files.
>
> I also wrote a 32 bit program in C and compiled with mingw (as
> djgpp has 16 bit code in it), then carried the resulting program
> over to the Win7 x64 laptop to test it. When the program was run
> from a Command Prompt window, an error dialog popped up, with a
> button you could click to list the error message (basically a
> segmentation violation, as I made the program try to dereference
> a zeroed pointer). The error dialog on the screen, provided a
> short register dump, but no .dmp file was created.
>
> (0xC0000005 "access violation" causes by attempting to dereference
> location 0x0)
> http://img854.imageshack.us/img854/2782/crashzero.gif
>
> If I'd used a Sysinternals program like "notmyfault", I could
> probably crash the kernel and create a STOP error, and that should
> generate a file. But I'm not planning on doing that right yet.
> Is that what you're trying to do, catch a kernel/driver fault ?
>
> Paul
>
>>
>> Bill Bradshaw wrote:
>>> I am trying to setup Windows 7 Pro SP1 to record minidumps in the
>>> directory of my choice. All I get are kernel dumps and they are not
>>> in the directory I want them in. I have gone to Crashdumps in the
>>> registry and the directory I want the dumps placed in is listed
>>> properly. So it is giving me dumps just not minidumps. I have been
>>> searching the web and my registry settings seem to be correct. I am
>>> looking for any and all help. Thanks.

Bill Bradshaw wrote:
> A new version of PGOffline (www.PGOffline.com) which is a offline reader
> for Yahoo Egroups is being developed. So I am trying to help them with
> debugging of the program. Instead sending in full dumps I would like to
> send in mini dumps. I used Sysinternals Process Monitor program to get
> the list. Since I am running their program I have no idea what will
> throw a fault. It might help me if I could figure out where Werfault is
> getting the information for the subdirectory it is saving the dump files
> in. Unfortunately I can not figure it out. I have searched the
> registry, every file on my computer, etc. to see if I could find a
> string containing CrashDumps but so far no luck.
>
> <Bill>
>

There is an application here, which can create dumps.
But it doesn't make clear what flavor it creates. Give this a try.
(I haven't tried this yet.)

(Sysinternals ProcDump)
http://technet.microsoft.com/en-us/s.../dd996900.aspx

-e Write a dump when the process encounters an unhandled
exception. Include "-e 1" to create dump on first chance exceptions.

Paul

Paul wrote:
> Bill Bradshaw wrote:
>> A new version of PGOffline (www.PGOffline.com) which is a offline
>> reader for Yahoo Egroups is being developed. So I am trying to help
>> them with debugging of the program. Instead sending in full dumps I
>> would like to send in mini dumps. I used Sysinternals Process Monitor
>> program to get the list. Since I am running their program I have no
>> idea what will throw a fault. It might help me if I could figure out
>> where Werfault is getting the information for the subdirectory it is
>> saving the dump files in. Unfortunately I can not figure it out. I
>> have searched the registry, every file on my computer, etc. to see if
>> I could find a string containing CrashDumps but so far no luck.
>>
>> <Bill>
>>
>
> There is an application here, which can create dumps.
> But it doesn't make clear what flavor it creates. Give this a try.
> (I haven't tried this yet.)
>
> (Sysinternals ProcDump)
> http://technet.microsoft.com/en-us/s.../dd996900.aspx
>
> -e Write a dump when the process encounters an unhandled
> exception. Include "-e 1" to create dump on first chance exceptions.
>
> Paul

Latest progress.

I tried out the ProcDump program, but what I'm finding is WerFault seems
to intercept the event, and prevents ProcDump from actually dumping
the error with stack traces and so on.

If I do this with ProcDump, it triggers a dump as soon as my test program
begins to run. I actually got a small dump file (about 90KB) placed in
the current working directory. (I used two command prompt windows,
ran ProcDump in -w "Wait" mode, while I ran the crashzero.exe program
in the other command prompt window. The "Wait" option is needed because
otherwise procdump tells you there's nothing to attach to.)

procdump -accepteula -w -n 1 crashzero.exe crashzero.dmp [Useless output file]

Now, if I ask procdump to wait, and wait for the first error it
finds (-e 1), then werfault "lets the air out of its tires" and I get
nothing. The programs are very polite, but no output results.

procdump -accepteula -w -n 1 -e 1 crashzero.exe crashzero.dmp [No output file]

I checked with procmon, and got a similar log to what you were seeing.
A reference to a file that might be used for dumping, and then... nothing.

Next, I tried doing a web search, using the names of the guilty parties, and
found this article (written by the Sysinternals guy).

http://blogs.technet.com/b/markrussi...2/3065065.aspx

At the bottom of that article, it says:

"If you create a key named

HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps

WerFault will always save a dump. Crashes go by default into
%LOCALAPPDATA%\Crashdumps, but you can override that with a
Registry value and also specify a limit on the number of crashes WerFault
will keep."

Found this as well.

http://msdn.microsoft.com/en-us/libr...81(VS.85).aspx

And once I set my Win7 registry to look like this, I finally
got a dump out of WerFault. I had to add a key on the left.

http://img88.imageshack.us/img88/8592/regwerfault.gif

I'm not even sure I had to add a DumpType. I think it started
working before that, but I just didn't notice it was dumping files.
I popped the resulting file into dumpchk.exe and it looked
suitably useless to me (at least I could see the 0xC0000005
access error). So it didn't strike me as being as nice looking
as some other dumps I've looked at. But at least the size
of the collected file was small (89KB).

Paul

The msdn site was a great find. I now have my dump files being placed
where I wanted them. The 17 meg files I was getting are minidump files.
What was confusing me was that when opened in WinDbg there was not much
information shown. But if the file is run in Dumpchk there is all kinds
of information. I did a kernel dump and the resulting file was 273 megs
so I am definitely not going to be sending one of them in. I may spend
some more time with WinDbg to see if I am doing something wrong. Thanks
for the extraordinary amount of effort on your part.
--
<Bill>

Brought to you from Anchorage, Alaska.

Paul wrote:
> Paul wrote:
>> Bill Bradshaw wrote:
>>> A new version of PGOffline (www.PGOffline.com) which is a offline
>>> reader for Yahoo Egroups is being developed. So I am trying to help
>>> them with debugging of the program. Instead sending in full dumps I
>>> would like to send in mini dumps. I used Sysinternals Process
>>> Monitor program to get the list. Since I am running their program
>>> I have no idea what will throw a fault. It might help me if I
>>> could figure out where Werfault is getting the information for the
>>> subdirectory it is saving the dump files in. Unfortunately I can
>>> not figure it out. I have searched the registry, every file on my
>>> computer, etc. to see if I could find a string containing
>>> CrashDumps but so far no luck. <Bill>
>>>
>>
>> There is an application here, which can create dumps.
>> But it doesn't make clear what flavor it creates. Give this a try.
>> (I haven't tried this yet.)
>>
>> (Sysinternals ProcDump)
>> http://technet.microsoft.com/en-us/s.../dd996900.aspx
>>
>> -e Write a dump when the process encounters an unhandled
>> exception. Include "-e 1" to create dump on first chance
>> exceptions. Paul
>
> Latest progress.
>
> I tried out the ProcDump program, but what I'm finding is WerFault
> seems to intercept the event, and prevents ProcDump from actually
> dumping
> the error with stack traces and so on.
>
> If I do this with ProcDump, it triggers a dump as soon as my test
> program begins to run. I actually got a small dump file (about 90KB)
> placed in
> the current working directory. (I used two command prompt windows,
> ran ProcDump in -w "Wait" mode, while I ran the crashzero.exe program
> in the other command prompt window. The "Wait" option is needed
> because otherwise procdump tells you there's nothing to attach to.)
>
> procdump -accepteula -w -n 1 crashzero.exe crashzero.dmp
> [Useless output file]
> Now, if I ask procdump to wait, and wait for the first error it
> finds (-e 1), then werfault "lets the air out of its tires" and I get
> nothing. The programs are very polite, but no output results.
>
> procdump -accepteula -w -n 1 -e 1 crashzero.exe crashzero.dmp [No
> output file]
> I checked with procmon, and got a similar log to what you were seeing.
> A reference to a file that might be used for dumping, and then...
> nothing.
> Next, I tried doing a web search, using the names of the guilty
> parties, and found this article (written by the Sysinternals guy).
>
> http://blogs.technet.com/b/markrussi...2/3065065.aspx
>
> At the bottom of that article, it says:
>
> "If you create a key named
>
> HKLM\Software\Microsoft\Windows\Windows Error
> Reporting\LocalDumps
> WerFault will always save a dump. Crashes go by default into
> %LOCALAPPDATA%\Crashdumps, but you can override that with a
> Registry value and also specify a limit on the number of crashes
> WerFault will keep."
>
> Found this as well.
>
> http://msdn.microsoft.com/en-us/libr...81(VS.85).aspx
>
> And once I set my Win7 registry to look like this, I finally
> got a dump out of WerFault. I had to add a key on the left.
>
> http://img88.imageshack.us/img88/8592/regwerfault.gif
>
> I'm not even sure I had to add a DumpType. I think it started
> working before that, but I just didn't notice it was dumping files.
> I popped the resulting file into dumpchk.exe and it looked
> suitably useless to me (at least I could see the 0xC0000005
> access error). So it didn't strike me as being as nice looking
> as some other dumps I've looked at. But at least the size
> of the collected file was small (89KB).
>
> Paul

On 1/26/2012 3:55 PM, Bill Bradshaw wrote:
> A new version of PGOffline (www.PGOffline.com) which is a offline reader
> for Yahoo Egroups is being developed. So I am trying to help them with
> debugging of the program. Instead sending in full dumps I would like to
> send in mini dumps. I used Sysinternals Process Monitor program to get
> the list. Since I am running their program I have no idea what will
> throw a fault. It might help me if I could figure out where Werfault is
> getting the information for the subdirectory it is saving the dump files
> in. Unfortunately I can not figure it out. I have searched the
> registry, every file on my computer, etc. to see if I could find a
> string containing CrashDumps but so far no luck.

Oh, I think we must've been under a misunderstanding all of this time,
you're looking for an application dump from Windows, not a core dump
which is when the whole operating system crashes.

According to this, WER is always involved in collecting the application
crash dumps, you can only collect the dumps from WER's repository and
send them to the developers using programs from Microsoft's Visual
Studio to send copies of of the WER files.

Crash Dump Analysis
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

But with Windows Vista & 7, you can redirect the location of the
application crash files by making the changes in the registry described
here:

Collecting User-Mode Dumps
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

Yousuf Khan