N-central Troubleshooting

Agent process dump tools

Last Modified

Fri Jan 10 16:55 GMT 2020

Description

This article describes how to get the agent process dump.
This procedure can also be used to get dump files for any process.

Environment

N-able N-central

Solution

(Option 1) Windows error reporting

Windows Error Reporting (WER) can also provide a minidump by default on newer Windows OS's. The registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug" shows where the dumps are written. This can be a HIDDEN folder so if it is not seen in File Explorer just enter "C:\ProgramData" (no space) in file explorer and hit return. It will then be visible. The full folder name is "C:\ProgramData\Microsoft\Windows\WER\ReportQueue".
Details at: http://msdn.microsoft.com/en-us/library/windows/desktop/bb513638%28v=vs.85%29.aspx
Please review https://docs.microsoft.com/en-us/windows/desktop/wer/collecting-user-mode-dumps

To turn on or off Windows Error Reporting

Locate these registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error ReportingHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting

Set the value called 'Disabled' in the keys described below:
1. If the agent/probe is running on a 64 bit system then there will be 2 keys.
2. The Wow6432Node will be the one used by Windows Error Reporting when dumping 32bit apps in most cases.
3. If the Disabled value key doesn't exist, simply add it as a DWORD (32-bit) Value and set the value to 1 or 0 as described below.

Value Name: DisabledValue Type: DWORDValue: (1 to enabled or 0 to disable)

To turn on full dumps:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumpsHKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumpsValue Name: DumpTypeValue Type: DWORDValue: (1 for mini-dump 2 for full dump)

(Option 2) Task Manager

On 64 bit machines, the default taskMgr is 64 bit and the dumps it produces do not capture information needed to analyze agent process dumps.
This is because the agent process is 32bit and the corresponding debugger used to read the dump file must also be 32bit.
Therefore the dump itself must be generated from a 32bit taskMgr, which knows how to read the 32bit parts out of the process to dump.
The 32bit TaskMgr can be found at: C:\Windows\SysWOW64\taskmgr.exe

(Option 3) Procdump

procdump.exe is a utility available from Microsoft.
A package containing both 32bit versions is available live.sysinternals.com/procdump.exe
procdump can be run in a DOS box with the following parameters to capture a dump whenever the agent.exe crashes
This should catch exceptions of type c0000005 (access violation):

procdump.exe -ma -e 1 -n 1 -f violation -w agent.exe

To generate a dump when the agent exceeds a CPU limit of 80% use:

procdump -c 80 -u -mp -n 1 -o -w agent.exe