Author: macguyver13
Subject: ProcDump internal clues
Posted: 04 October 2016 at 3:50pm
I am interested in finding out any details on how procdump might be using the PSSCaptureSnapshot or similar method.
Subject: ProcDump internal clues
Posted: 04 October 2016 at 3:50pm
I am interested in finding out any details on how procdump might be using the PSSCaptureSnapshot or similar method.
We would love to have some of this functionality, but as procdump is not redistributable we are looking to write our own process dumps (not using Windows Error Reporting) and we'd like to use the process copy/reflection method hinted at in procdump. The PssCaptureSnapshot is not heavily documented, but we're pretty sure it must be using something we could use.
Any clues or ideas as to how to generate our own full memory dumps of a process using this reflection method so as to avoid lengthy waits for the dump to be made on the original process?
BTW, it appears as if WER is using a similar mechanism because if WER is dumping a process due to an unhandled exception, we can see 2 processes with the same name when using Process.GetProcessesByName (.NET) and 1 is suspended. We'd like to copy that behavior, but retain more control over it.
Thanks in advance for any thoughts or suggestions.