How can i take a user dump using powershell
12,753
Solution 1
Based on this article from Risksense. MiniDump
function from native comsvcs.dll
Windows dll could be used.
Like:
Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump {ID-of-the-process} $Env:TEMP\my_dump_file.bin full
Solution 2
The easiest way is to use Procdump from Sysinternals toolkit. Use Get-Process
to get process id, which you can pass to Procdump for actual dumping.
Edit:
I'd still rather use readily available tools instead of the hard way. Have you got a valid business reason? Since you insist, there is a Win32 API call that creates user mode memory dumps. It can be invoked from .Net code, so either use P/Invoke or embed C# into your Powershell code. This is left as an exercise to the reader.
Author by
Shree
Updated on June 04, 2022Comments
-
Shree about 2 years
I want to take user dump of a process using powershell How can i do it? The same I get on rightclicking the process in Taskmanager
-
Shree over 11 yearsIs there a way to do it using some internal commands of Powershell or cmd or using wmi:?
-
vonPryz over 11 yearsWin32_product looks like a typo to me. In addition, Win32_process does provide you a handle for process, but not a way to create a memory dump for one.
-
Shree over 11 yearsI wanted to have this because I need this script to run on a number of different Machines. and I dont want to install them on each of them .
-
zett42 almost 4 yearsNote that the dump file path cannot have spaces (quoting doesn't work). For the directory part of the path, one can work around by setting the current directory (or specify argument -WorkingDirectory for
Start-Process
) so we only have to pass the filename of the dump file to rundll32. -
user about 3 yearsHow to use
procdump
to collect a core on demand, i.e., now instead of waiting the process to crash or something else ?