Windows – How to dump process in Windows Server 2008

memoryprocesswindows

I want to dump memory of windows process using just command line and without 3rd party tools. Is that possible if we assume that all necessary privileges aquired.

Maybe it is possible to do using powershell? I have found it possible using procdump utility but this one is from sysinternals imho.

Best Answer

You can use Out-Minidump function for PowerShell:

Out-Minidump writes a process dump file with all process memory to disk. This is similar to running procdump.exe with the '-ma' switch.

Basic usage:

  • Enable PowerShell script execution via Set-ExecutionPolicy cmdlet. It should be Bypass, Unrestricted or RemoteSigned. Details:

    If you (or a helpful admin) runs Set-ExecutionPolicy as administrator, the policy will be set for all users. (I would suggest "remoteSigned" rather than "unrestricted" as a safety measure.)

    NB.: On a 64-bit OS you need to run Set-ExecutionPolicy for 32-bit and 64-bit PowerShell separately.

  • Download Out-Minidump.ps1

  • Unblock it using File properties in Explorer (alternate ways)

    Unblock File

  • Launch PowerShell and dot source function from the Out-Minidump.ps1 (note first dot):

. c:\path\to\Out-Minidump.ps1
  • Now you can actually create dump of the process using this syntax:
Get-Process 'notepad.exe' | Out-Minidump -DumpFilePath C:\temp
  • To get help, run this command:
Get-Help Out-Minidump -Full
Related Topic