dump抓取方法

1.hang dump

（1）任务管理--选中待跟踪进程--右键--创建转储文件

（2）process-explorer抓取

下载地址： https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

使用方式：运行procexp.exe--找到待分析进程--右键--creat dump--create full dump

2.crash dump

（1）procdump抓取

工具下载地址：https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump

使用方法：

将下载的工具包解压，然后打开控制台命令行窗口，并跳转到procdump.exe所在路径下。输入procdump回车即可查看帮助，想看更详细示例可以用procdump -? -e

D:ToolsPerformanceDotNet ToolProcdump>procdump -? -e

ProcDump v8.0 - Writes process dump files
Copyright (C) 2009-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
With contributions from Andrew Richards

Monitors a process and writes a dump file when the process exceeds the
specified criteria or has an exception.

Capture Usage:
   procdump.exe [-ma | -mp | -d Callback_DLL] [-64]
                [-n Count]
                [-s Seconds]
                [-c|-cl CPU_Usage [-u]]
                [-m|-ml Commit_Usage]
                [-p|-pl Counter_Threshold]
                [-h]
                [-e [1 [-g] [-b]]]
                [-l]
                [-t]
                [-f Filter, ...]
                [-o]
                [-r [1..5] [-a]]
                {
                 {{[-w] Process_Name | Service_Name | PID} [Dump_File | Dump_Folder] }
                |
                 {-x Dump_Folder Image_File [Argument, ...]}
                }
Install Usage:
   procdump.exe -i [Dump_Folder]
                [-ma | -mp | -d Callback_DLL]
Uninstall Usage:
   procdump.exe -u

Examples:

-------------------------------------------------------------------------------
- Write a mini dump of a process named 'notepad' (only one match can exist):
    C:>procdump notepad

-------------------------------------------------------------------------------
- Write a full dump of a process with PID '4572':
    C:>procdump -ma 4572

-------------------------------------------------------------------------------
- Write 3 mini dumps 5 seconds apart of a process named 'notepad':
    C:>procdump -n 3 -s 5 notepad

-------------------------------------------------------------------------------
- Write up to 3 mini dumps of a process named 'consume' when it exceeds
         20% CPU usage for five seconds:
    C:>procdump -n 3 -s 5 -c 20 consume

-------------------------------------------------------------------------------
- Write a mini dump for a process named 'hang.exe' when one of its
         windows is unresponsive for more than 5 seconds:
    C:>procdump -h hang.exe

-------------------------------------------------------------------------------
- Write a mini dump of a process named 'outlook' when total system CPU
         usage exceeds 20% for 10 seconds:
    C:>procdump outlook -p "Processor(_Total)\% Processor Time" 20

- Write a full dump of a process named 'outlook' when Outlook's handle count
         exceeds 10,000:
    C:>procdump -ma outlook -p "Process(Outlook)Handle Count" 10000

-------------------------------------------------------------------------------
- Writes a full dump for a 2nd chance exception:
    C:>procdump -ma -e w3wp.exe

- Writes a full dump for a 1st or 2nd chance exception:
    C:>procdump -ma -e 1 w3wp.exe

- Writes a full dump for a debug string message:
    C:>procdump -ma -l w3wp.exe

- Write up to 10 full dumps of each 1st or 2nd chance exception of w3wp.exe:
    C:>procdump -ma -n 10 -e 1 w3wp.exe

- Write up to 10 full dumps if an exception's code/name/msg contains 'NotFound':
    C:>procdump -ma -n 10 -e 1 -f NotFound w3wp.exe

- Write up to 10 a full dump if a debug string message contains 'NotFound':
    C:>procdump -ma -n 10 -l -f NotFound w3wp.exe

-------------------------------------------------------------------------------
- Wait for a process called 'notepad' (and monitor it for exceptions):
    C:>procdump -e -w notepad

- Launch a process called 'notepad' (and monitor it for exceptions):
    C:>procdump -e -x c:dumps notepad

- Register for launch, and attempt to activate, a store 'application'.
         A new ProcDump instance will start when it is activated:
    C:>procdump -e -x c:dumps Microsoft.BingMaps_8wekyb3d8bbwe!AppexMaps

- Register for launch of a store 'package'.
         A new ProcDump instance will start when it is (manually) activated:
    C:>procdump -e -x c:dumps Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe

-------------------------------------------------------------------------------
- Windows 7/8.0; Use Reflection to reduce outage for 5 consecutive triggers:
    C:>procdump -r -ma -n 5 -s 15 wmplayer.exe

- Windows 8.1+; Use PSS to reduce outage for 5 concurrent triggers:
    C:>procdump -r 5 -ma -n 5 -s 15 wmplayer.exe

-------------------------------------------------------------------------------
- Install ProcDump as the (AeDebug) postmortem debugger:
    C:>procdump -ma -i c:dumps
    ..or..
    C:Dumps>procdump -ma -i

- Uninstall ProcDump as the (AeDebug) postmortem debugger:
    C:>procdump -u

-------------------------------------------------------------------------------


D:ToolsPerformanceDotNet ToolProcdump>

（2）WER抓取

WER配置方法：
• 打开注册表编辑器(use Win+R shortcut key to launch the Run window).
• 定位到注册表：“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps”, 如果不存在，则创建该键；
• 在该键值下使用程序名创建子健“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps”, 键值名为您应用程序的名称，如您的环境中为“w3wp.exe”
• 在 “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumpsw3wp.exe”, 子健下创建三个项，如下表：

Value Name	Type	value
DumpFolder	REG_EXPAND_SZ	c:dumps
DumpCount	REG_DWORD	5
DumpType	REG_DWORD	2

Note:
DumpFolder 根据实际情况，选择合适的路径即可.
配置后如下截图，注意其中的程序名称需要更改为待跟踪进程名称