Category: Windows Technologies

Using ADPlus to force memory dump of Windows process When you have to investigate a process that behaves bizarre abruptly for a limited moments and is not reproducible at will, then you can use the adplus tools from Microsoft debugging tools which helps you create a complete process memory dump to analyze the process behavior. Using AdPlus: Download and install "Debugging Tools for Windows" from http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx on the repro machine Install it to c:debuggers or an easy to find location Determine the ProcessID for the process you want to debug using tlist.exe (in the debuggers folder) or from Task Manager, […]

Using User Dump utility to generate user process dump: Instructions for the  USERDUMP Utility: ========================== 1. Download user dump : http://support.microsoft.com/kb/241215 2. Run the Setup.exe program that comes with the Userdump tool.    This installs a kernel-mode driver Userdump.sys and also creates a      Control Panel applet called "Process Dump" 3. Open the control panel applet called "Process Dump" 4. Click the ‘New’ button and enter the name of the executable that you want to monitor     (you do not need to type in the full path…just the executable file name like spoolsv.exe) 5. Click OK 6. Highlight the name […]

Setting workstations for complete memory dump Manual: Right Click on My computer -> Properties -> Advanced -> Start and Recovery -> Settings –> Under Write Debugging Information drop down box, select Complete Memory Dump and click OK Registry Automation: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl Key Type: REG_DWORD Key Name: CrashDumpEnabled Set this key to 1 for complete memory dump. Enable Winlogon logging on workstations Please follow below instructions to enable winlogon logging on machines: Value Path: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGPExtensions{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Value Name: ExtensionDebugLevel Value Type: REG_DWORD Value Data: 2 After enabling the logging here, you would get log file with the name as Winlogon.log file and […]