procdump命令行选项研究

Microsoft Windows [版本 10.0.19042.1288]
(c) Microsoft Corporation。保留所有权利。

\Procdump>procdump.exe

ProcDump v11.0 - Sysinternals process dump utility
Copyright (C) 2009-2022 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

Monitors a process and writes a dump file when the process exceeds the
specified criteria or has an exception.

Capture Usage:
   procdump.exe [-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
                [-n <Count>]
                [-s <Seconds>]
                [-c|-cl <CPU_Usage> [-u]]
                [-m|-ml <Commit_Usage>]
                [-p|-pl <Counter> <Threshold>]
                [-h]
                [-e [1] [-g] [-b] [-ld] [-ud] [-ct] [-et]]
                [-l]
                [-t]
                [-f  <Include_Filter>, ...]
                [-fx <Exclude_Filter>, ...]
                [-dc <Comment>]
                [-o]
                [-r [1..5] [-a]]
                [-at <Timeout>]
                [-wer]
                [-64]
                {
                 {{[-w] <Process_Name> | <Service_Name> | <PID>} [<Dump_File> | <Dump_Folder>]}
                |
                 {-x <Dump_Folder> <Image_File> [Argument, ...]}
                }
Install Usage:
   procdump.exe -i [Dump_Folder]
                [-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
                [-r]
                [-at <Timeout>]
                [-k]
                [-wer]
Uninstall Usage:
   procdump.exe -u

Dump Types:
   -mm     Write a 'Mini' dump file. (default)
           - Includes directly and indirectly referenced memory (stacks and what they reference).
           - Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
   -ma     Write a 'Full' dump file.
           - Includes all memory (Image, Mapped and Private).
           - Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
   -mt     Write a 'Triage' dump file.
           - Includes directly referenced memory (stacks).
           - Includes limited metadata (Process, Thread, Module and Handle).
           - Removal of sensitive information is attempted but not guaranteed.
   -mp     Write a 'MiniPlus' dump file.
           - Includes all Private memory and all Read/Write Image or Mapped memory.
           - Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
           - To minimize size, the largest Private memory area over 512MB is excluded.
             A memory area is defined as the sum of same-sized memory allocations.
             The dump is as detailed as a Full dump but 10%-75% the size.
           - Note: CLR processes are dumped as Full (-ma) due to debugging limitations.
   -mc     Write a 'Custom' dump file.
           - Includes the memory and metadata defined by the specified MINIDUMP_TYPE mask (Hex).
   -md     Write a 'Callback' dump file.
           - Includes the memory defined by the MiniDumpWriteDump callback routine
             named MiniDumpCallbackRoutine of the specified DLL.
           - Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
   -mk     Also write a 'Kernel' dump file.
           - Includes the kernel stacks of the threads in the process.
           - OS doesn't support a kernel dump (-mk) when using a clone (-r).
           - When using multiple dump sizes, a kernel dump is taken for each dump size.

Conditions:
   -a      Avoid outage. Requires -r. If the trigger will cause the target
           to suspend for a prolonged time due to an exceeded concurrent
           dump limit, the trigger will be skipped.
   -at     Avoid outage at Timeout. Cancel the trigger's collection at N seconds.
   -b      Treat debug breakpoints as exceptions (otherwise ignore them).
   -c      CPU threshold above which to create a dump of the process.
   -cl     CPU threshold below which to create a dump of the process.
   -dc     Add the specified string to the generated Dump Comment.
   -e      Write a dump when the process encounters an unhandled exception.
           Include the 1 to create dump on first chance exceptions.
           Add -ld to create a dump when a DLL (module) is loaded (filtering applies).
           Add -ud to create a dump when a DLL (module) is unloaded (filtering applies).
           Add -ct to create a dump when a thread is created.
           Add -et to create a dump when a thread exits.
   -f      Filter (include) on the content of exceptions, debug logging and filename at DLL load/unload.
           Wildcards (*) are supported.
   -fx     Filter (exclude) on the content of exceptions, debug logging and filename at DLL load/unload.
           Wildcards (*) are supported.
   -g      Run as a native debugger in a managed process (no interop).
   -h      Write dump if process has a hung window (does not respond to
           window messages for at least 5 seconds).
   -k      Kill the process after cloning (-r), or at end of dump collection.
   -l      Display the debug logging of the process.
   -m      Memory commit threshold in MB at which to create a dump.
   -ml     Trigger when memory commit drops below specified MB value.
   -n      Number of dumps to write before exiting.
   -o      Overwrite an existing dump file.
   -p      Trigger when the Performance Counter is at, or exceeds, the specified Threshold.
           Some Counters and/or Instance Names can be case-sensitive.
   -pl     Trigger when the Performance Counter falls below the specified Threshold.
   -r      Dump using a clone. Concurrent limit is optional (default 1, max 5).
           OS doesn't support a kernel dump (-mk) when using a clone (-r).
           CAUTION: a high concurrency value may impact system performance.
           - Windows 7   : Uses Reflection. OS doesn't support -e.
           - Windows 8.0 : Uses Reflection. OS doesn't support -e.
           - Windows 8.1+: Uses PSS. All trigger types are supported.
   -s      Consecutive seconds before dump is written (default is 10).
   -t      Write a dump when the process terminates.
   -u      Treat CPU usage relative to a single core (used with -c).
   -w      Wait for the specified process to launch if it's not running.
   -wer    Queue the (largest) dump to Windows Error Reporting.
   -x      Launch the specified image with optional arguments.
           If it is a Store Application or Package, ProcDump will start
           on the next activation (only).
   -64     By default ProcDump will capture a 32-bit dump of a 32-bit process
           when running on 64-bit Windows. This option overrides to create a
           64-bit dump. Only use for WOW64 subsystem debugging.

Install/Uninstall:
   -i      Install ProcDump as the AeDebug postmortem debugger.
           Only -mm, -ma, -mt, -mp, -mc, -md and -r are supported as additional options.
           Uninstall (-u only) restores the previous configuration.
   -u      As the only option, Uninstalls ProcDump as the AeDebug postmortem debugger.

License Agreement:
   Use the -accepteula command line option to automatically accept the
   Sysinternals license agreement.

Automated Termination:
   -cancel <Target Process PID>
           Using this option or setting an event with the name "ProcDump-<PID>"
           is the same as typing Ctrl+C to gracefully terminate ProcDump.
           Graceful termination ensures the process is resumed if a capture is active.
           The cancellation applies to ALL ProcDump instances monitoring the process.

Filename:
   Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp
   The following substitutions are supported:
           PROCESSNAME   Process Name
           PID           Process ID
           EXCEPTIONCODE Exception Code
           YYMMDD        Year/Month/Day
           HHMMSS        Hour/Minute/Second

Examples:
   Use -? -e to see example command lines.

...\Procdump>