Reputation: 13
Take kernel dump on-demand from user-space without kernel debugging (Windows)
What would be the simplest and most portable way (in the sense of only having to copy a few files to the target machine, like procdump is) to generate a kernel dump that has handle information?
procdump has the -mk option which generates a limited dump file pertaining to the specified process. It is reported in WinDbg as:
Mini Kernel Dump File: Only registers and stack trace are available. Most of the commands I try (!handle, !process 0 0) fail to read the data.
Seems that officially, windbg and kd would generate dumps (which would require kernel debugging).
A weird solution I found is using livekd with -ml: Generate live dump using native support (Windows 8.1 and above only).. livekd still looks for kd.exe, but does not use it :) so I can trick it with an empty file, and does not require kernel debugging. Any idea how that works?
Upvotes: 1
Views: 710
Answers (1)
Reputation: 5499
LiveKD uses the undocumented NtSystemDebugControl API to capture the memory dump. While you can easily find information about that API online the easiest thing to do is just use LiveKD.
Upvotes: 2
Related Questions
- How to create a kernel dump using WinDbg
- User Initiated Kernel dump in Windows XP
- Is it possible to create mini dump file programmatically without a crash?
- How do I create a full memory dump to a remote machine?
- Creating a windows kernel dump using C (kernel mode driver)
- How to generate kernel dump by using Windbg?
- How to get crash dump in Windows 8.1 without using WinDbg
- WinDbg to create dump file upon crash?
- Simplest method for creating dump file for troubled process
- Is it possible to debug a userland application from kernel land?