无法抓DUMP, 报错"Could not attach to process XXXX, NTSTATUS 0xC0000048"

Problem Description

=================

We tried to use ADPlus to capture dump file. But the size of dump files are all under 20K.

We tried it many times.

Trouble Shoot

=================

I tried to use the “PsExec.exe –s –i –d cmd.exe” to initialize ADPLUS. No luck.

I tried to use WinDBG attach to the process, I failed with information below.

无法抓DUMP, 报错"Could not attach to process XXXX, NTSTATUS 0xC0000048"_第1张图片

Detail Message is as below.

---------------------------

Could not attach to process 1272, NTSTATUS 0xC0000048

已试图设置进程的 DebugPort 或 ExceptionPort,但该进程中已存在端口,或试图设置文件的 CompletionPort,但文件中已设置端口,或已试图设置 ALPC 端口的相关完成端口,但该端口已设置。

Did more research, we found the root cause and solution.

We saw DebugDiag, and we asked customer to open that. We see the dialog below.

无法抓DUMP, 报错"Could not attach to process XXXX, NTSTATUS 0xC0000048"_第2张图片

There it is! 1272 is our SharePoint w3wp.exe process.

 

Root Cause

========================

Debug Diag already attached to the process.

Debug Diag has rules, which can attach to target process. Even if the rule is completed, it won’t let go of the process.

Another word to say is the debug port is still occurpied by DebugDiag, so other debuggers such as WinDBG or CDB.exe cannot attach and write dump file.

 

Solution

========================

1. Clear the Rules in DebugDiag.

2. Kill the following processes in task manager.

· DbgSvc.exe

· Dbghost.exe

Problem Resolved.

Dump can now be successfully written.

 

Lesson Learned

========================

Be careful with DebugDiag. When its rules are finished, it won’t let go of the process.

 

Reference

========================

How to resolve "Cannot debug pid <pid>, NTSTATUS 0xC0000048" - "An attempt to set a process's DebugPort or ExceptionPort was made ..."

http://blogs.msdn.com/b/spike/archive/2011/10/21/how-to-resolve-quot-cannot-debug-pid-lt-pid-gt-ntstatus-0xc0000048-quot-quot-an-attempt-to-set-a-process-s-debugport-or-exceptionport-was-made-quot.aspx?CommentPosted=true#commentmessage

你可能感兴趣的:(process)