DOTCRASH Helps Debug System Hangs and Memory Leaks in Windows NT

ID: Q178547

The information in this article applies to:

Microsoft Windows NT Workstation versions 3.51, 4.0
Microsoft Windows NT Server versions 3.51, 4.0

SUMMARY

DOTCRASH is a utility that lets you debug computers running Windows NT by creating a user-mode memory dump of offending processes. DOTCRASH is especially useful in production environments where time limitations make it difficult for you to take a computer offline for debugging purposes. For example, DOTCRASH can help you debug the following problems:

Memory leaks

An application that stops responding at 0 percent (dead lock) CPU usage

An application that stops responding at 100 percent (busy loop) CPU usage

MORE INFORMATION

DOTCRASH uses a Win32 API to create the memory dump. This is how DOTCRASH works:

Get Debug privilege.

NOTE: If this fails, the logged on user does not have administrative privileges.

If needed, resolve process name to process ID.

Open the target process with Full Access.

Change AeDebug and Dr. Watson configuration to write <process name>.dmp.

Create a thread in the target process with starting address 0xDEAD. If you use the option "-b" the Thread function will be "DebugBreak" instead. This requires privileges acquired in steps 1 and 3 above.

Return Debug privilege.

Restore original AeDebug and Dr. Watson configuration.

Installation

To install DOTCRASH, follow these steps:

Download the Dotcrash.zip file from the Microsoft Software Library to an empty folder.

Use a utility to unzip the files.

Copy Psapi.dll to the %SystemRoot%\System32 folder. Psapi.dll is included with Dotcrash.zip in the <DirName>\<Platform>\<Version> folder.

NOTE: If you have a newer version of this file on your system, do not perform this step.

The following file is available for download from the Microsoft Software Library:

Dotcrash.zip

For more information about downloading files from the Microsoft Software Library, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q119591
TITLE : How to Obtain Microsoft Support Files from Online Services

Usage

DOTCRASH does not verify that the files required to run Dr. Watson are installed. Before you run DOTCRASH, make sure Dr. Watson is installed:

Click the Start button, click Run, and then type the following in the Open box:
drwtsn32

Click OK.

There is a known problem with the Windows NT 4.0 version of Dr. Watson running on Alpha platforms. For more information, please see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: Q170057
TITLE : Dr. Watson Dialog Box Stops Responding

NOTE: The English version of the hotfix referenced in this article is included with Dotcrash.zip in the <DirName>\Alpha\Dr-Watson.US folder.

The following is the command-line help and error-level information for DOTCRASH:


   dotcrash [-b] <pid> | <process EXE name> [target file name]

      -b: Break into process without configuring Dr. Watson
          This is useful to initiate JIT Debugging or when breaking
          into a NTSD -D session.

      pid: process ID in decimal or hex (use 0x)
         process EXE name: name of EXE file
         If multiple EXE files with the same name are found,
         errorlevel will be 1 and a list of process IDs will
         be printed to STDOUT.

      target file name: Name of the memory dump file. Make sure
         the account the process about to be crashed runs under
         has sufficient privilege to write to this location.

Errorlevel values:


      0 - Success, dumped a process.
      1 - Multiple processes found for %s, use process ID.
      2 - Process %s not found.
      3 - Invalid or out-of-range process ID.
      4 - Could not open process %s. Error:
      5 - Could not create thread to crash the process. Error:
      6 - Can't get Debug Privilege. Aren't you Administrator?
      7 - Could not access registry to configure Dr. Watson. Tried to fix
          it...
      8 - This application only runs on Windows NT 3.51 or later.
      9 - Ain't no killing of Process IDs 0 and 2
     10 - Could not load PSAPI.DLL. Error:
     11 - Target file name not allowed when using option -b.

After you run DOTCRASH, Dr. Watson displays a dialog box while it is working on the memory dump. Do not click the Close or Cancel button. After the OK button is enabled, click OK.

If you use the -b option to create a hardcoded breakpoint without a debugger attached to the process, Windows NT will break into the kernel debugger, if present. Because you cannot debug user mode applications in the kernel debugger, use the g command to resume execution. You need to launch NTSD using the -d option to debug the application through the kernel debugger.

The memory dump created by Dr. Watson can be loaded in WinDbg. In addition to the threads currently active in the process, there will be an additional one in second chance exception. Here is an excerpt of a WinDbg session of a dump made with Spoolss.exe:


   > ~

     0     72 Stopped  4 _BaseProcessStart@4
     1     78 Stopped  4 _InitializeDll@12
     2     80 Stopped  4 _WaitForSingleObjectEx@12
     3    557 Stopped  4 _EnumPrintersW@28
     4    553 Stopped  4 _EnumPrintersW@28
     5    463 Stopped  4 ?ReceiveLotsaCalls@OSF_ADDRESS@@QAEXXZ
     6    149 Stopped  4 ?ReceiveLotsaCalls@WMSG_ADDRESS@@AAEXXZ

   * 7    540 Stopped, 2nd chance  4 0x0000dead
   > ~7kb
   FramePtr  RetAddr   Param1   Param2   Param3   Function Name
   1965ffb8  77f04f2c  00000000 001420d8 0012fac4 0x0000dead
   1965ffec  00000000  00000000 00000000 00000000
   KERNEL32!BaseThreadStart+0x51
   > ~7r
   EAX=00000000  EBX=00000000  ECX=00000001  EDX=ffffffff  ESI=0012fac4
   EDI=001420d8
   EIP=0000dead  ESP=1965ffbc  EBP=1965ffec  EFL=00000246
   CS=001b  DS=0023  ES=0023  SS=0023  FS=0038  GS=0000

Additional query words: debugref dotcrash.exe


Keywords          : kbfile 
Version           : winnt:3.51,4.0
Platform          : winnt 
Issue type        :

Last Reviewed: August 3, 1999