Troubleshoot Process Dump Files

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

ProcDump is a Windows command-line utility that you can use to monitor a process and create a dump file. You can use ProcDump to trigger the creation of a dump file when specific requirements are met, such as a CPU spike on the computer.

When you create a process dump file from a Microsoft Windows computer, the file contains information about the available physical memory the process uses. The file also contains a record of the state of all available computer memory and what occurred in that memory at the time you created the dump file.

For information about how to create PSANHost dump files, go to Troubleshoot PSANHost Crash Dump Files.

Disable Anti-Tamper Protection

Anti-tamper protection makes sure that only authorized users can install, disable, or uninstall WatchGuard Endpoint Security. If you enable anti-tamper protection, the configured password is required to disable anti-tamper protection locally from the protected computer. Before you create a dump file, you must disable WatchGuard Endpoint Security anti-tamper protection for the endpoint computer. You must also restart the endpoint computer that you want to create the dump file for.

To disable anti-tamper protection:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. From the left pane, select Per-Computer Settings.
4. Copy an existing settings profile and use it to create a new per-computer settings profile. For more information, go to Configure Per-Computer Settings.
5. Assign the profile to the endpoint computer where you want to create a dump file.
6. From the new per-computer settings profile, disable the Enable Anti-Tamper protection toggle.

7. Click Save.
8. To unlock any anti-tamper protection processes, restart the endpoint computer.

Collect a Process Dump File

The are multiple methods to collect a process dump file. Use the instructions that most fit your use case:

• Collect a Process Dump File for Constant High CPU Usage
• Collect a Process Dump File for a Process Crash
• Collect a Process Dump File On-Demand

Collect a Process Dump File for Constant High CPU Usage

You can use ProcDump to monitor a process and trigger the creation of a dump file when ProcDump detects a high CPU usage on the endpoint computer.

To monitor high CPU usage and create a dump file:

1. Download ProcDump.exe from the Microsoft website:
   https://learn.microsoft.com/en-en/sysinternals/downloads/procdump (external link)
2. From the endpoint computer that you want to create a dump file for, open a Command Prompt window with administrator privileges.

3. Run ProcDump with these parameters:

procdump.exe -c <CPUTHRESHOLD> -e -ma -s 30 -w <ProcessName>.exe -accepteula <YourLocation>\<ProcessName>.dmp

This example creates a dump file for the AgentSVC.exe process when CPU usage exceeds 20% for 30 consecutive seconds:

procdump.exe -c 20 -e -ma -s 30 -w AgentSVC.exe -accepteula C:\WG\AgentSVC.dmp

Make sure that the location you specify to save the dump file to exists on the computer.

4. Keep the Command Prompt window open and run the ProcDump application until the issue reproduces.

You do not have to press Ctrl+C on your keyboard to stop monitoring. The process dump file saves to the computer automatically.

5. Create a ZIP archive of the contents of the folder and send the archive to Support.

Collect a Process Dump File for a Process Crash

You can use ProcDump when you experience a process crash on an endpoint computer.

To create a dump file when you experience a process crash:

1. From the endpoint computer that you want to create a dump file for, open a Command Prompt window with administrator privileges.

2. Run ProcDump with these parameters:

procdump.exe -e -ma -w <ProcessName> -accepteula <YourLocation>\<ProcessName>.dmp

This example collects a dump file for AgentSVC.exe process when the application crashes:

procdump.exe -e -ma -w AgentSVC.exe -accepteula C:\WG\AgentSVC.dmp

Make sure that the location you specify to save the dump file to exists on the computer.

3. Keep the Command Prompt window open and run the ProcDump application until the issue reproduces.

You do not have to press Ctrl+C on your keyboard to end monitoring. The process dump file saves to the computer automatically.

4. Create a ZIP archive of the contents of the folder, and send the archive to Support.

Collect a Process Dump File On-Demand

If you want to create a dump file on-demand, you can create a dump file from Microsoft Windows on the endpoint computer after an issue occurs.

To create a dump file, from Microsoft Windows on the endpoint computer:

1. Wait until the issue reproduces.
2. Press Ctrl+Alt+Delete to open Windows Task Manager.
3. From the Details tab, right-click the target process you want to create a dump file for.
4. Select Create Dump File.

5. Click Open File Location to browse to the dump file.

6. Create a ZIP archive of the contents of the folder and send the archive to Support.

Troubleshoot ProcDump Errors

If you experience an error when you use ProcDump, the process might be protected by anti-tamper protection.

This is an example of an error:

Error opening PSANHost.exe (8164):

Access is denied. (0x00000005, 5)

If you experience an error, make sure that you disable anti-tamper protection in WatchGuard Endpoint Security for the endpoint computer and then restart the computer.