Udostępnij za pośrednictwem


.HDMP and .MDMP files

Just a quickie – the rule is blog what you know, but I figure my speculation might be good enough here.

A friend gave me an HDMP file and asked what I could make of it. After the usual “I could make a hat! Or a brooch! Or a dinosaur!” type stuff, I realized it wouldn’t open anyway.

In my experience, most .HDMPs come with matching .MDMP files. I think of these as Minidumps (in the “real” mini sense – just information about threads and thread stacks), and Heap dumps (everything else the process knew or cared about in User mode).

This HDMP wasn’t openable in the debugger directly, but if its corresponding MDMP was present in the same folder at the same time, I reckon it woulda.

The feared WER-wolf produces these files in pairs (that’s Windows Error Reporting, kids, don’t be too scared, except that it invalidates everything we used to know about AEDebug registry keys and similar, but that’s another story for another time), and that’s how I’ve analyzed them in the past. I remember hearing of some sort of merge operation that needed to happen between M and H dumps, but I’m reasonably certain I haven’t bothered with that (I assume I’m lazy by default), so I think the debugger just does it for ya.

Now I’ve written that, I’m going to go look for references to support my assertions!

949180    How to create a user-mode process dump file in Windows Server 2008
https://support.microsoft.com/default.aspx?scid=kb;EN-US;949180

(At the bottom – mini and heap dumps - yay me!). Think that’s enough for today. Hugs!