Setting up a postmortem debugger for Windows services

Question

Is it possible to create a full memory dump of a Windows service when it crashes? Obviously, there are the well known postmortem debuggers, which can collect a memory dump of a failing process. But the problem with Windows services is that they are running within the system-context and not in the user-context. Can anybody help me?

Until now, I tried it with WinDbg:

• I set up WinDbg as the default postmortem Debugger by executing WinDbg -I.
• I verified that within both locations of the registry (HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug and HKLM\SOFTWARE\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\AeDebug) the two entries Auto and Debugger exist.
• I configured WinDbg to automatically write memory dumps at startup by changing the Debugger entry to "Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp" -e %ld –g
• I verified that WinDbg has privileges to the target location of the memory dump file with and without administrative privileges.

But it does not work. :(

If I write a normal user-mode application which intentionally crashes after startup, WinDbg pops-up and automatically writes the .dmp file to the target location. But if my service crashes, it does not. Within the task manager, I can see that WinDbg gets started after the process of my service crashes, but both just remain in the list without any dump file.

Answer 1

Make sure that Auto for the AeDebug key is set to 1. Also change the windbg command line to: "Path\WinDbg.exe" -p %ld –c ".dump /ma /u D:\CrashDump.dmp;qd" -e %ld –G

If you do not detach from the debuggee the debugger will wait for further commands. Also -G option will close the debugger immediately after the process ends. Simple to configure and probably more suited for such scenarios is procdump from sysinternals - it can also create full memory dumps and you install it with: procdump -ma -i D:\crashdump command.