How to use WER to create a dump with the application data and the handles

Question

Here is my registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpType"=dword:00000000
"CustomDumpFlags"=dword:00000006

According to this article DumpType=0 means custom dump and then CustomDumpFlags is taken into account. According to this article CustomDumpFlags=6 means MiniDumpWithFullMemory | MiniDumpWithHandleData, where:

• MiniDumpWithFullMemory - Include all accessible memory in the process. The raw memory data is included at the end, so that the initial structures can be mapped directly without the raw memory information. This option can result in a very large file.
• MiniDumpWithHandleData - Include high-level information about the operating system handles that are active when the minidump is made.

Now I have a crash-me application, so I run it, it crashes, the dump is created in %userprofile%\AppData\Local\CrashDumps, I open it in windbg and see the following line there:

User Mini Dump File with Full Memory: Only application data is available

Which is equivalent to CustomDataFlags=2

So, how am I expected to create a dump with the handle data in it? If possible, I would like to use no third parties.

My OS is Windows 8 or Windows 2008R2 server or higher.

Answer 1

Try .dumpdebug, which is an undocumented command. At the top of the output there should be the flags:

0:006> .dumpdebug
----- User Mini Dump Analysis

MINIDUMP_HEADER: Version         A793 (62F0) NumberOfStreams 15 Flags  41826
                0002 MiniDumpWithFullMemory
                0004 MiniDumpWithHandleData
                0020 MiniDumpWithUnloadedModules
                0800 MiniDumpWithFullMemoryInfo
                1000 MiniDumpWithThreadInfo
                40000 MiniDumpWithTokenInformation

If you dislike the verbose output, you can filter it with a find command on the shell:

.shell -ci ".dumpdebug" find "MiniDumpWith"