Configure Windows Event Log to Collect Memory Dump

In this article, we will look into configuring the Windows event log to collect a memory dump, when an error or warning occurs.

In this article, we will look into configuring the Windows event log to collect a memory dump, when an error or warning occurs. We can use a built-in feature in the Event log to configure a task that can be fired, when a specific event occurs. Let's look into it with an example. Open the Windows Event Viewer and select an event having an error or warning raised by your application. Click on "Attach a task To this Event…" and follow below steps:

Provide a name for the task and click on "Next":

Configure-Windows-Event-log

Click on "Next":

Configure-Windows-Event-log1

Select option 1 (Start a program), that is needed to fire our tool either ProcDump or ADPlus to collect the dump when the event fires and click "Next":

Configure-Windows-Event-log2

We will trigger the ProcDump tool to collect the full memory dump of w3wp.exe. If you use the ADPlus tool then point it to adplus.vbs with the arguments "–pn w3wp.exe".

Configure-Windows-Event-log3

Click "Finish".

Configure-Windows-Event-log4

When the event above fires in the Event Viewer, ProcDump will be launched and collect w3wp.exe's full memory dump for further analysis.

We can delete the task created for an event by going to "Task Scheduler" -> "Task Scheduler Library" -> "Event Viewer Tasks" -> "Delete" as shown below:

Configure-Windows-Event-log5

We can attach a task at log level like Application or System and trigger it when a new event fires in it by using the option "Attach a Task To this log…".

By using the above feature, we can trigger a Windows Event log based on a specific event log entry and send an email or collect a dump.