Skip to content

Dump a process

Jump to bottom Edit New page
fremag edited this page Nov 5, 2016 · 11 revisions

There are many tools to dump a process' memory.

MemoScope

MemoScope has its own module to dump process memory. If you want to dump a :

  • 64 bit process, run MemoScope x64
  • 32 bit process, run MemoScope x86. No problem if you run a 64 bit OS.

In the "Main" toolbar, click on "Process" button.

First you will have to select a "Root dir" folder where your dump files will be stored:

Select Process

Then select a process in the combobox:

Another way to select a process :

  • "drag" the "Bow" button ie click on the button but don't release the button yet
  • MemoScope main window is minimized
  • your mouse cursor will look like an arrow
  • move it over the process' window you want to dump
  • release the mouse button
  • MemoScope main window is back to normal state
  • Your process is selected

Monitor Process

MemoScope will display and chart informations about selected process :

  • Start, total process and user processor time
  • Handle count
  • Paged, Virtual, Working set memory

Dump Process

There are two ways to dump:

  • Once: click the "Dump Process Now" button (with the green arrow)
  • Periodically: input a timespan and click on the "Start time" button (with the clock) MemoScope will dump the process at the end of every period of time.

Once the memory is dumped, a message is displayed in the notification area.

Dump Triggers

Just drag & drop some values from the grid and write a condition in C#.

Examples:

  • WorkingSet > 200e6 : dump when working set memory is higher than 200 Mo
  • Here is a more comple expression:
    PagedMemory > 200e6
|| File.Exists(@"c: \temp\toto.txt")
|| (    DateTime.Now.Hour > 22  
     && Environment.GetEnvironmentVariable("MyVar") == "OK")
|| (UserTime.TotalMinutes > Math.PI)

Code can use any method from thses types: DateTime, TimeSpan, Regex, Math, File, Environment

Task Manager

If your OS is 64 bit but your process is 32 bit, you must run the 32 bit version of TaskManager. It's located in C:\Windows\SysWOW64\taskmgr.exe

Select your process and right click on it:

Nb: MemoScope works only on .Net processes, here Edge is selected just to take a screenshot.

Click on "Create a dump file":

Then your dump file is created.

(thanks to @johnrp for the screenshots in english and win 10)

MemoScope API

Sometimes, you want your process to be dumped at a specific point of your code / runtime. A good way to obtain a dump when and where you want is to call MemoScope API in your code: Request a dump in your application code:

var client = new MemoScopeClient();
client.Open();
client.DumpMe();

Start MemoScope and your application will connect to it and send a dump request.

Others

MemoScope: Introduction - Dump a process

Introduction

Dump a Process

Explore a Dump file

Analysis

Threads

Memory

Misc

Clone this wiki locally