Is it possible to create a full memory dump of a Windows service when it crashes? Obviously, there are the well known postmortem debuggers, which can collect a memory dump of a failing process. But the problem with Windows services is that they are running within the system-context and not in the user-context. Can anybody help me?
Until now, I tried it with WinDbg:
- I set up WinDbg as the default postmortem Debugger by executing WinDbg -I.
- I verified that within both locations of the registry (HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug and HKLM\SOFTWARE\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\AeDebug) the two entries Auto and Debugger exist.
- I configured WinDbg to automatically write memory dumps at startup by changing the Debugger entry to "Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp" -e %ld –g
- I verified that WinDbg has privileges to the target location of the memory dump file with and without administrative privileges.
But it does not work. :(
If I write a normal user-mode application which intentionally crashes after startup, WinDbg pops-up and automatically writes the .dmp file to the target location. But if my service crashes, it does not. Within the task manager, I can see that WinDbg gets started after the process of my service crashes, but both just remain in the list without any dump file.
Make sure that Auto for the AeDebug key is set to 1. Also change the windbg command line to:
"Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp;qd" -e %ld –G
If you do not detach from the debuggee the debugger will wait for further commands. Also -G option will close the debugger immediately after the process ends. Simple to configure and probably more suited for such scenarios is procdump from sysinternals - it can also create full memory dumps and you install it with:
procdump -ma -i D:\crashdump
command.