Microsoft KB Archive/178547

{|
 * width="100%"|

-

The information in this article applies to:


 * Microsoft Windows NT Workstation versions 3.51, 4.0
 * Microsoft Windows NT Server versions 3.51, 4.0

-

SUMMARY
DOTCRASH is a utility that lets you debug computers running Windows NT by creating a user-mode memory dump of offending processes. DOTCRASH is especially useful in production environments where time limitations make it difficult for you to take a computer offline for debugging purposes. For example, DOTCRASH can help you debug the following problems:


 * Memory leaks
 * An application that stops responding at 0 percent (dead lock) CPU usage
 * An application that stops responding at 100 percent (busy loop) CPU usage

MORE INFORMATION
DOTCRASH uses a Win32 API to create the memory dump. This is how DOTCRASH works:


 * 1) Get Debug privilege.

NOTE: If this fails, the logged on user does not have administrative privileges.
 * 1) If needed, resolve process name to process ID.
 * 2) Open the target process with Full Access.
 * 3) Change AeDebug and Dr. Watson configuration to write .dmp.
 * 4) Create a thread in the target process with starting address 0xDEAD. If you use the option "-b" the Thread function will be "DebugBreak" instead. This requires privileges acquired in steps 1 and 3 above.
 * 5) Return Debug privilege.
 * 6) Restore original AeDebug and Dr. Watson configuration.

Installation
To install DOTCRASH, follow these steps:
 * 1) Download the Dotcrash.zip file from the Microsoft Software Library to an empty folder.
 * 2) Use a utility to unzip the files.
 * 3) Copy Psapi.dll to the %SystemRoot%\System32 folder. Psapi.dll is included with Dotcrash.zip in the \\ folder.

NOTE: If you have a newer version of this file on your system, do not perform this step.

The following file is available for download from the Microsoft Software Library: "Dotcrash.zip" For more information about downloading files from the Microsoft Software Library, please see the following article in the Microsoft Knowledge Base: "Q119591 How to Obtain Microsoft Support Files from Online Services"

Usage
DOTCRASH does not verify that the files required to run Dr. Watson are installed. Before you run DOTCRASH, make sure Dr. Watson is installed:

  Click the Start button, click Run, and then type the following in the Open box: "drwtsn32" Click OK.

There is a known problem with the Windows NT 4.0 version of Dr. Watson running on Alpha platforms. For more information, please see the following article in the Microsoft Knowledge Base: "Q170057 Dr. Watson Dialog Box Stops Responding" NOTE: The English version of the hotfix referenced in this article is included with Dotcrash.zip in the \Alpha\Dr-Watson.US folder.

The following is the command-line help and error-level information for DOTCRASH:   dotcrash [-b] |  [target file name]

-b: Break into process without configuring Dr. Watson This is useful to initiate JIT Debugging or when breaking into a NTSD -D session.

pid: process ID in decimal or hex (use 0x) process EXE name: name of EXE file If multiple EXE files with the same name are found, errorlevel will be 1 and a list of process IDs will be printed to STDOUT.

target file name: Name of the memory dump file. Make sure the account the process about to be crashed runs under has sufficient privilege to write to this location. Errorlevel values:      0 - Success, dumped a process. 1 - Multiple processes found for %s, use process ID. 2 - Process %s not found. 3 - Invalid or out-of-range process ID. 4 - Could not open process %s. Error: 5 - Could not create thread to crash the process. Error: 6 - Can't get Debug Privilege. Aren't you Administrator? 7 - Could not access registry to configure Dr. Watson. Tried to fix it...     8 - This application only runs on Windows NT 3.51 or later. 9 - Ain't no killing of Process IDs 0 and 2 10 - Could not load PSAPI.DLL. Error: 11 - Target file name not allowed when using option -b. After you run DOTCRASH, Dr. Watson displays a dialog box while it is working on the memory dump. Do not click the Close or Cancel button. After the OK button is enabled, click OK.

If you use the -b option to create a hardcoded breakpoint without a debugger attached to the process, Windows NT will break into the kernel debugger, if present. Because you cannot debug user mode applications in the kernel debugger, use the g command to resume execution. You need to launch NTSD using the -d option to debug the application through the kernel debugger.

The memory dump created by Dr. Watson can be loaded in WinDbg. In addition to the threads currently active in the process, there will be an additional one in second chance exception. Here is an excerpt of a WinDbg session of a dump made with Spoolss.exe:

  > ~

0    72 Stopped  4 _BaseProcessStart@4 1    78 Stopped  4 _InitializeDll@12 2    80 Stopped  4 _WaitForSingleObjectEx@12 3   557 Stopped  4 _EnumPrintersW@28 4   553 Stopped  4 _EnumPrintersW@28 5   463 Stopped  4 ?ReceiveLotsaCalls@OSF_ADDRESS@@QAEXXZ 6   149 Stopped  4 ?ReceiveLotsaCalls@WMSG_ADDRESS@@AAEXXZ

* 7   540 Stopped, 2nd chance  4 0x0000dead > ~7kb FramePtr RetAddr   Param1   Param2   Param3   Function Name 1965ffb8 77f04f2c  00000000 001420d8 0012fac4 0x0000dead 1965ffec 00000000  00000000 00000000 00000000 KERNEL32!BaseThreadStart+0x51 > ~7r EAX=00000000 EBX=00000000  ECX=00000001  EDX=ffffffff  ESI=0012fac4 EDI=001420d8 EIP=0000dead ESP=1965ffbc  EBP=1965ffec  EFL=00000246 CS=001b DS=0023  ES=0023  SS=0023  FS=0038  GS=0000 Additional query words: debugref dotcrash.exe

Keywords         : kbfile Version          : winnt:3.51,4.0 Platform         : winnt Issue type       :
 * }