{
	"id": "b3a1f2ee-80c3-4e1d-94ac-5999d42db509",
	"created_at": "2026-04-06T00:08:44.978501Z",
	"updated_at": "2026-04-10T03:22:07.582311Z",
	"deleted_at": null,
	"sha1_hash": "44b0cd5edb1fba7af4204f72ae056be91a652e9d",
	"title": "ProcDump - Sysinternals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118030,
	"plain_text": "ProcDump - Sysinternals\r\nBy markruss\r\nArchived: 2026-04-05 17:12:37 UTC\r\nBy Mark Russinovich and Andrew Richards\r\nPublished: November 13, 2025\r\n Download ProcDump (1.2 MB)\r\nCreated with ZoomIt\r\nIntroduction\r\nProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and\r\ngenerating crash dumps during a spike that an administrator or developer can use to determine the cause of the\r\nspike. ProcDump also includes hung window monitoring (using the same definition of a window hang that\r\nWindows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of\r\nsystem performance counters. It also can serve as a general process dump utility that you can embed in other\r\nscripts.\r\nUsing ProcDump\r\nCapture Usage:\r\nprocdump.exe [-mm] [-ma] [-mt] [-mp] [-mc \u003cMask\u003e] [-md \u003cCallback_DLL\u003e] [-mk]\r\n [-n \u003cCount\u003e]\r\n [-s \u003cSeconds\u003e]\r\n [-c|-cl \u003cCPU_Usage\u003e [-u]]\r\n [-m|-ml \u003cCommit_Usage\u003e]\r\n [-p|-pl \u003cCounter\u003e \u003cThreshold\u003e]\r\n [-h]\r\n [-e [1] [-g] [-b] [-ld] [-ud] [-ct] [-et]]\r\n [-l]\r\n [-t]\r\n [-f \u003cInclude_Filter\u003e, ...]\r\n [-fx \u003cExclude_Filter\u003e, ...]\r\n [-dc \u003cComment\u003e]\r\n [-o]\r\n [-r [1..5] [-a]]\r\n [-at \u003cTimeout\u003e]\r\n [-wer]\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 1 of 9\n\n[-64]\r\n {\r\n {{[-w] \u003cProcess_Name\u003e | \u003cService_Name\u003e | \u003cPID\u003e} [\u003cDump_File\u003e | \u003cDump_Folder\u003e]}\r\n |\r\n {-x \u003cDump_Folder\u003e \u003cImage_File\u003e [Argument, ...]}\r\n }\r\nInstall Usage:\r\nprocdump.exe -i [Dump_Folder]\r\n [-mm] [-ma] [-mt] [-mp] [-mc \u003cMask\u003e] [-md \u003cCallback_DLL\u003e] [-mk]\r\n [-r]\r\n [-at \u003cTimeout\u003e]\r\n [-k]\r\n [-wer]\r\nUninstall Usage:\r\nprocdump.exe -u\r\nDump Types:\r\nDump\r\nType\r\nDescription\r\n-mm\r\nWrite a 'Mini' dump file. (default)\r\n- Includes directly and indirectly referenced memory (stacks and what they reference).\r\n- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).\r\n-ma\r\nWrite a 'Full' dump file.\r\n- Includes all memory (Image, Mapped and Private).\r\n- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).\r\n-mt\r\nWrite a 'Triage' dump file.\r\n- Includes directly referenced memory (stacks).\r\n- Includes limited metadata (Process, Thread, Module and Handle).\r\n- Removal of sensitive information is attempted but not guaranteed.\r\n-mp Write a 'MiniPlus' dump file.\r\n- Includes all Private memory and all Read/Write Image or Mapped memory.\r\n- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).\r\n- To minimize size, the largest Private memory area over 512MB is excluded.\r\n  A memory area is defined as the sum of same-sized memory allocations.\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 2 of 9\n\nDump\r\nType\r\nDescription\r\n  The dump is as detailed as a Full dump but 10%-75% the size.\r\n- Note: CLR processes are dumped as Full (-ma) due to debugging limitations.\r\n-mc\r\nWrite a 'Custom' dump file.\r\n- Includes the memory and metadata defined by the specified MINIDUMP_TYPE mask (Hex).\r\n-md\r\nWrite a 'Callback' dump file.\r\n- Includes the memory defined by the MiniDumpWriteDump callback routine named\r\nMiniDumpCallbackRoutine of the specified DLL.\r\n- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).\r\n-mk\r\nAlso write a 'Kernel' dump file.\r\n- Includes the kernel stacks of the threads in the process.\r\n- OS doesn't support a kernel dump ( -mk ) when using a clone ( -r ).\r\n- When using multiple dump sizes, a kernel dump is taken for each dump size.\r\nConditions:\r\nCondition Description\r\n-a\r\nAvoid outage. Requires -r . If the trigger will cause the target to suspend for a prolonged time\r\ndue to an exceeded concurrent dump limit, the trigger will be skipped.\r\n-at Avoid outage at Timeout. Cancel the trigger's collection at N seconds.\r\n-b Treat debug breakpoints as exceptions (otherwise ignore them).\r\n-c CPU threshold above which to create a dump of the process.\r\n-cl CPU threshold below which to create a dump of the process.\r\n-dc Add the specified string to the generated Dump Comment.\r\n-e\r\nWrite a dump when the process encounters an unhandled exception.\r\nInclude the 1 to create dump on first chance exceptions.\r\nAdd -ld to create a dump when a DLL (module) is loaded (filtering applies).\r\nAdd -ud to create a dump when a DLL (module) is unloaded (filtering applies).\r\nAdd -ct to create a dump when a thread is created.\r\nAdd -et to create a dump when a thread exits.\r\n-f\r\nFilter (include) on the content of exceptions, debug logging and filename at DLL load/unload.\r\nWildcards (*) are supported.\r\n-fx\r\nFilter (exclude) on the content of exceptions, debug logging and filename at DLL load/unload.\r\nWildcards (*) are supported.\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 3 of 9\n\nCondition Description\r\n-g Run as a native debugger in a managed process (no interop).\r\n-h\r\nWrite dump if process has a hung window (does not respond to window messages for at least 5\r\nseconds).\r\n-k Kill the process after cloning ( -r ), or at end of dump collection.\r\n-l Display the debug logging of the process.\r\n-m Memory commit threshold in MB at which to create a dump.\r\n-ml Trigger when memory commit drops below specified MB value.\r\n-n Number of dumps to write before exiting.\r\n-o Overwrite an existing dump file.\r\n-p\r\nTrigger when the Performance Counter is at, or exceeds, the specified Threshold. Some\r\nCounters and/or Instance Names can be case-sensitive.\r\n-pl Trigger when the Performance Counter falls below the specified Threshold.\r\n-r\r\nDump using a clone. Concurrent limit is optional (default 1, max 5). OS doesn't support a kernel\r\ndump ( -mk ) when using a clone ( -r ). CAUTION: a high concurrency value may impact\r\nsystem performance.\r\n- Windows 7: Uses Reflection. OS doesn't support -e .\r\n- Windows 8.0: Uses Reflection. OS doesn't support -e .\r\n- Windows 8.1+: Uses PSS. All trigger types are supported.\r\n-s Consecutive seconds before dump is written (default is 10).\r\n-t Write a dump when the process terminates.\r\n-u Treat CPU usage relative to a single core (used with -c ).\r\n-v DEBUG ONLY: Verbose output.\r\n-w Wait for the specified process to launch if it's not running.\r\n-wer Queue the (largest) dump to Windows Error Reporting.\r\n-x\r\nLaunch the specified image with optional arguments. If it is a Store Application or Package,\r\nProcDump will start on the next activation (only).\r\n-y HIDDEN: Store Application activation.\r\n-64 By default ProcDump will capture a 32-bit dump of a 32-bit process when running on 64-bit\r\nWindows. This option overrides to create a 64-bit dump. Only use for WOW64 subsystem\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 4 of 9\n\nCondition Description\r\ndebugging.\r\nLicense Agreement:\r\nUse the -accepteula command line option to automatically accept the Sysinternals license agreement.\r\nAutomated Termination:\r\n-cancel \u003cTarget Process PID\u003e\r\nUsing this option or setting an event with the name ProcDump-\u003cPID\u003e is the same as typing Ctrl+C to gracefully\r\nterminate ProcDump. Graceful termination ensures the process is resumed if a capture is active. The cancellation\r\napplies to ALL ProcDump instances monitoring the process.\r\nFilename:\r\nDefault dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp\r\nThe following substitutions are supported:\r\nSubstitution Explanation\r\nPROCESSNAME Process Name\r\nPID Process ID\r\nEXCEPTIONCODE Exception Code\r\nYYMMDD Year/Month/Day\r\nHHMMSS Hour/Minute/Second\r\nExamples\r\nWrite a mini dump of a process named 'notepad' (only one match can exist):\r\nC:\\\u003eprocdump notepad\r\nWrite a Full dump of a process with PID '4572':\r\nC:\\\u003eprocdump -ma 4572\r\nWrite a Mini first, and then a Full dump of a process with PID '4572':\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 5 of 9\n\nC:\\\u003eprocdump -mm -ma 4572\r\nWrite 3 Mini dumps 5 seconds apart of a process named 'notepad':\r\nC:\\\u003eprocdump -n 3 -s 5 notepad\r\nWrite up to 3 Mini dumps of a process named 'consume' when it exceeds 20% CPU usage for five seconds:\r\nC:\\\u003eprocdump -n 3 -s 5 -c 20 consume\r\nWrite a Mini dump for a process named 'hang.exe' when one of its windows is unresponsive for more than\r\n5 seconds:\r\nC:\\\u003eprocdump -h hang.exe\r\nWrite a Full and Kernel dump for a process named 'hang.exe' when one of its windows is unresponsive for\r\nmore than 5 seconds:\r\nC:\\\u003eprocdump -ma -mk -h hang.exe\r\nWrite a Mini dump of a process named 'outlook' when total system CPU usage exceeds 20% for 10\r\nseconds:\r\nC:\\\u003eprocdump outlook -s 10 -p \"\\Processor(_Total)\\% Processor Time\" 20\r\nWrite a Full dump of a process named 'outlook' when Outlook's handle count exceeds 10,000:\r\nC:\\\u003eprocdump -ma outlook -p \"\\Process(Outlook)\\Handle Count\" 10000\r\nWrite a Full dump of 'svchost' PID 1234, Instance #87, when the handle count exceeds 10,000:\r\nC:\\\u003eprocdump -ma 1234 -p \"\\Process(svchost#87)\\Handle Count\" 10000\r\nNote: Multiple Instance Counters\r\nIf there are multiple instances of the counter, you'll need to include the Name and/or Instance number.\r\n\\Processor(NNN)\\% Processor Time\r\n\\Thermal Zone Information(\u003cname\u003e)\\Temperature\r\n\\Process(\u003cname\u003e[#NNN])\\\u003ccounter\u003e\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 6 of 9\n\nOlder OSes require you to append the PID for \\Process counters.\r\n\\Process(\u003cname\u003e[_PID])\\\u003ccounter\u003e\r\nTip: Use Performance Monitor to view the counters (esp. case sensitivity).\r\nTip: For \\Process(*) based counters, use PowerShell to map a PID to its #NNN .\r\nGet-Counter -Counter \"\\Process(*)\\ID Process\"\r\nWrite a Full dump for a 2nd chance exception:\r\nC:\\\u003eprocdump -ma -e w3wp.exe\r\nWrite a Full dump for a 1st or 2nd chance exception:\r\nC:\\\u003eprocdump -ma -e 1 w3wp.exe\r\nWrite a Full dump for a debug string message:\r\nC:\\\u003eprocdump -ma -l w3wp.exe\r\nWrite up to 10 Full dumps of each 1st or 2nd chance exception of w3wp.exe:\r\nC:\\\u003eprocdump -ma -n 10 -e 1 w3wp.exe\r\nWrite up to 10 Full dumps if an exception's code/name/msg contains ' NotFound ':\r\nC:\\\u003eprocdump -ma -n 10 -e 1 -f NotFound w3wp.exe\r\nWrite up to 10 Full dumps if a debug string message contains ' NotFound ':\r\nC:\\\u003eprocdump -ma -n 10 -l -f NotFound w3wp.exe\r\nWait for a process called 'notepad' (and monitor it for exceptions):\r\nC:\\\u003eprocdump -e -w notepad\r\nLaunch a process called 'notepad' (and monitor it for exceptions):\r\nC:\\\u003eprocdump -e -x c:\\dumps notepad\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 7 of 9\n\nRegister for launch, and attempt to activate, a store 'application'. A new ProcDump instance will start when\r\nit is activated:\r\nC:\\\u003eprocdump -e -x c:\\dumps Microsoft.BingMaps_8wekyb3d8bbwe!AppexMaps\r\nRegister for launch of a store 'package'. A new ProcDump instance will start when it is (manually)\r\nactivated:\r\nC:\\\u003eprocdump -e -x c:\\dumps Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe\r\nWrite a MiniPlus dump of the Microsoft Exchange Information Store when it has an unhandled exception:\r\nC:\\\u003eprocdump -mp -e store.exe\r\nDisplay without writing a dump, the exception codes/names of w3wp.exe:\r\nC:\\\u003eprocdump -e 1 -f \"\" w3wp.exe\r\nWindows 7/8.0; Use Reflection to reduce outage for 5 consecutive triggers:\r\nC:\\\u003eprocdump -r -ma -n 5 -s 15 wmplayer.exe\r\nWindows 8.1+; Use PSS to reduce outage for 5 concurrent triggers:\r\nC:\\\u003eprocdump -r 5 -ma -n 5 -s 15 wmplayer.exe\r\nInstall ProcDump as the (AeDebug) postmortem debugger:\r\nC:\\\u003eprocdump -ma -i c:\\dumps\r\n..or..\r\nC:\\Dumps\u003eprocdump -ma -i\r\nUninstall ProcDump as the (AeDebug) postmortem debugger:\r\nC:\\\u003eprocdump -u\r\nSee a list of example command lines (the examples are listed above):\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 8 of 9\n\nC:\\\u003eprocdump -? -e\r\nWindows Internals Book The official updates and errata page for the definitive book on Windows\r\ninternals, by Mark Russinovich and David Solomon.\r\nWindows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark\r\nRussinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for\r\ntroubleshooting, and example real-world cases of their use.\r\n Download ProcDump (1.2 MB)\r\nDownload ProcDump for Linux (GitHub)\r\nDownload ProcDump for Mac (GitHub)\r\nRuns on:\r\nClient: Windows 11 and higher.\r\nServer: Windows Server 2016 and higher.\r\nLearn More\r\nDefrag Tools: #9 - ProcDump This episode of Defrag Tools covers what the tool captures and expected\r\noutage durations\r\nDefrag Tools: #10 - ProcDump - Triggers This episode covers trigger options in particular 1st \u0026 2nd\r\nchance exceptions\r\nDefrag Tools: #11 - ProcDump - Windows 8 \u0026 Process Monitor This episode covers modern application\r\nsupport and Process Monitor logging support\r\nSource: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://docs.microsoft.com/en-us/sysinternals/downloads/procdump"
	],
	"report_names": [
		"procdump"
	],
	"threat_actors": [],
	"ts_created_at": 1775434124,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44b0cd5edb1fba7af4204f72ae056be91a652e9d.pdf",
		"text": "https://archive.orkl.eu/44b0cd5edb1fba7af4204f72ae056be91a652e9d.txt",
		"img": "https://archive.orkl.eu/44b0cd5edb1fba7af4204f72ae056be91a652e9d.jpg"
	}
}