Dump a process - fremag/MemoScope.Net GitHub Wiki

There are many tools to dump a process' memory.

MemoScope

MemoScope has its own module to dump process memory. If you want to dump a :

  • 64 bit process, run MemoScope x64
  • 32 bit process, run MemoScope x86. No problem if you run a 64 bit OS.

In the "Main" toolbar, click on "Process" button.

/img/MemoScope_MainBar_DumpProcess.png

First you will have to select a "Root dir" folder where your dump files will be stored: /img/MemoScope_Explorer_RootDir.png

Select Process

Then select a process in the combobox: /img/MemoScope_Process_Select.gif

Another way to select a process :

  • "drag" the "Bow" button ie click on the button but don't release the button yet
  • MemoScope main window is minimized
  • your mouse cursor will look like an arrow
  • move it over the process' window you want to dump
  • release the mouse button
  • MemoScope main window is back to normal state
  • Your process is selected

/img/MemoScope_DragOverProcess.gif

Monitor Process

MemoScope will display and chart informations about selected process :

  • Start, total process and user processor time
  • Handle count
  • Paged, Virtual, Working set memory

/img/MemoScope_Process_Monitoring.gif

Dump Process

There are two ways to dump:

  • Once: click the "Dump Process Now" button (with the green arrow)
  • Periodically: input a timespan and click on the "Start time" button (with the clock) MemoScope will dump the process at the end of every period of time.

/img/MemoScope_Process_Dump.gif

Once the memory is dumped, a message is displayed in the notification area.

img/Memocope_Process_DumpedNotification.png

Dump Triggers

Just drag & drop some values from the grid and write a condition in C#. /img/MemoScope_Process_DragDropValue.gif

Examples:

  • WorkingSet > 200e6 : dump when working set memory is higher than 200 Mo
  • Here is a more comple expression:
    PagedMemory > 200e6
|| File.Exists(@"c: \temp\toto.txt")
|| (    DateTime.Now.Hour > 22  
     && Environment.GetEnvironmentVariable("MyVar") == "OK")
|| (UserTime.TotalMinutes > Math.PI)

Code can use any method from thses types: DateTime, TimeSpan, Regex, Math, File, Environment

Task Manager

If your OS is 64 bit but your process is 32 bit, you must run the 32 bit version of TaskManager. It's located in C:\Windows\SysWOW64\taskmgr.exe

Select your process and right click on it:

/img/TaskManager.png

Nb: MemoScope works only on .Net processes, here Edge is selected just to take a screenshot.

Click on "Create a dump file":

/img/TaskManager_Dumped.png

Then your dump file is created.

(thanks to @johnrp for the screenshots in english and win 10)

MemoScope API

Sometimes, you want your process to be dumped at a specific point of your code / runtime. A good way to obtain a dump when and where you want is to call MemoScope API in your code: Request a dump in your application code:

var client = new MemoScopeClient();
client.Open();
client.DumpMe();

Start MemoScope and your application will connect to it and send a dump request.

Others