Process dumps of 32-bit processes on 64-bit operating systems

64-bitSometimes it is necessary to snapshot the state of a process into a process dump file in order to analyze it in the debugger afterwards. Even if this is usually straight forward, creating process dumps of 32-bit processes on a 64-bit operation system could have some traps. Not paying attention to the architecture of a process could lead to unuseable dump files. This article tries to bring some light into this topic.

Background

As with processes, there are 32-bit and 64-bit dump files. Now it’s the case that usually the process architecture of the process which intiates dump file creation determines if a 32-bit or a 64-bit dump is created independently from the process which is actually dumped. The reason why this could happen is, that on 64-bit operating systems 32-bit processes run in a type of 32-bit Windows emulation, called Windows-on-Windows64 (WOW64). So therefore also 32-bit processes have a small 64-bit part, making them seamlessly integrate into the totally 64-bit operating system. So if a 64-bit dump file from a 32-bit process is generated by mistake, it will contain some user mode-parts of this WOW64 emulation.

Rude awakening

What happens on opening a 64-bit process dump of a 32-bit process in Visual Studio at home depends slightly on the version of Visual Studio. Visual Studio 2012 tells you immediately: “Debugging a 64-bit dump of a 32-bit process is not supported, please collect a 32-bit dump of a 32-bit process.” With former versions of Visual Studio debugging can be started without any problem but in call stacks you will only see some lines containing “wow64cpu”. In this case you will notice that you have to delete your dumps and visit the site a second time to get new ones.

The simple solution

As mentioned already, the solution is rather easy. If you create your dumps with Task Manager, WinDbg or ADPlus, you only have to use the 32-bit version of these programs. You will find them in C:\Windows\SysWOW64 or C:\Program Files (x86)\… respectively. Please check in the Task Manager if the “*32” is added to the process name. So if you mind that the initiator process of dumping and the investigated process have the “*32” suffix, nothing should go wrong anymore. And the opposite way around, if your investigated process is a 64-bit process (no “*32” suffix in Task Manager), use a 64-bit dumping initiator.

Learn about zenon on www.copadata.com

 

Tags: ,

Leave a Reply