none
Crash corrupts log file RRS feed

  • Question

  • Hi All. 

    I'm trying to use Procmon to diagnose a problem on a machine that crashes as it returns from an extended period in sleep/hibernation mode. The Windows event viewer can see that the machine rebooted unexpectedly, but can't see a cause. The crash can happen at any point in the wake-up process up to the desktop being displayed.

    I started Procmon before I put the machine to sleep yesterday evening. Then this morning, I brought it out of sleep, and the machine crashed again, not long before the logon screen would have been displayed, so the system background was displayed, and services and apps would have been running. After the reboot (which is always successful), I checked the procmon log saved to disk, to find it corrupt.

    I guess ProcMon had the log file open when the machine crashed, but I can't believe that such an important diagnostic tool, used and loved for years, wouldn't have crash resiliency. It must be one of its main uses.

    Is there an appropriate way I should be setting the app up? I have it saving to a file rather than to the page file because I thought a log saved in the page file would be lost when the machine restarted. Am I wrong?

    Can anyone help please?

    Many thanks, Corin


    Saturday, November 7, 2020 12:22 PM

All replies

  • If the machine Crash, it is better get a crash dup and analyze it..

    Follow the instructions here and prepare the machine to get a dump using CTRL+Scroll lock+Scrol Lock.

    Forcing a System Crash from the Keyboard - Windows drivers | Microsoft Docs

    This is need just to verify that you can successfully get a dump out of a system crash.

    Then configure windows to get a full memory dump in case of crash.

    Collect the dump and send it to Microsoft if you are not able to analyze it by yourself.

    HTH
    -mario

    Sunday, November 8, 2020 10:20 AM
  • ProcMon is not right tool in this scenario as it needs to be stopped gracefully or the PML file will be of no use. 

    Try collecting a crash dump or circular XBootMgr trace

     
    Thursday, November 26, 2020 10:14 AM