Get the following tools handy:
- Procmon https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
- process explorer https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
- procdump: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
Tip: You can pre-watch this video on PROCMON here: https://kb.policypak.com/kb/article/507-03-process-monitor-101/
- Start Procmon. Let it run. It will start to generate a file.
- Perform the problem / make the process hang. Make sure it hangs… then…
-
Then, while it’s hung..
-
Run Process explorer to find the process. You want to find the PID of the process with a problem. An example of a hung process can be seen here, with PID 1072.
Processes should be easy to find if they are hanging.
NOTE that processes in RED doesn’t mean BAD: It just means processes are EXITING successfully.
- Note the process name and/or PID.
-
Next get a procDUMP.. : procdump -ma 1072 ought to do it (recommended). OR.. procdump “PPGPCR auditor.exe” for a process by name.
WARNING: If you use the process name for the dump .. Just make sure in Process Explorer, that there are NO OTHER SAME NAMED tasks or Procdump will not dump them all. And be sure to dump the RIGHT process.. hence.. also making sure you got the PID.) The PID is a better bet.
-
- When the DUMP is done.. Now you can Stop procMON. (File | uncheck CAPTURE EVENTS.)
- Save the PROCMON file as the PML file with all details.
- ZIP the PROCdump and PROCmon outputs as
SRX12345-DUMPS.ZIP
(your SRX number, not 12345). - Upload via SHAREFILE.. do NOT attach to your ticket. This will continue our analysis.