Skip to content

FS_Process_Minidump

Ulf Frisk edited this page Mar 7, 2024 · 7 revisions

The minidump per-process directory

The directory minidump exists as a sub-directory in each process directory.

The minidump directory contains a WinDbg compatible full process minidump.dmp file that may be used for debugging.

The minidump file contains:

  • process memory including stacks, heaps and PE images.
  • active process thread information including some CPU register information.
  • active process modules (.dll/.exe).

Minidump files are reconstructed on a best-effort basis. Process memory may be valid, missing or zero-padded depending whether the backing memory is available or inaccessible due to paging.

Minidump files are only generated if certain prerequisites are met:

  1. The process must be an active user-mode process. Special processes such as System, Registry, LSASS and MemCompression won't have minidump files generated.
  2. If debug symbols from the Microsoft symbol server is missing certain functionality will be missing (Threads). The minidump will however still be generated.

The minidump.dmp file is read-only.

Example

The example below shows the files minidump.dmp and readme.txt for the explorer.exe process. The file minidump.dmp is open directly in WinDbg for a debugging session showing some information about the callstack and CPU registers related to one of the threads.

For Developers

The minidump sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_minidump.c in the vmm project.

Clone this wiki locally