, , procdump , , -r reflect/clone. 90 , IIS , . Procdump " " " ReadProcessMemory WriteProcessMemory " , , , .
, Resouce, Process Explorer PsSuspend svchost.exe -k iissvcs, procdump. PowerShell script, w3wp :
#Prevent IIS from recycling the process during procdump and causing an Access Denied error message
$iispid = Get-Process svchost | ?{$_.modules.ModuleName -eq "iisw3adm.dll"} | Select -First 1 -ExpandProperty Id
$workerpid = Get-Process w3wp | Sort ws -Descending | Select -First 1 -ExpandProperty Id
cd ~\Downloads #move to location where you want to save the dump files
#Add -accepteula to the sysinternals calls if you want to bypass the initial EULA prompt on new servers
& "c:\sysinternals\pssuspend.exe" $iispid
Write-Output "Creating memory dump for w3wp PID $workerpid"
& "c:\sysinternals\procdump.exe" -ma $workerpid
& "c:\sysinternals\pssuspend.exe" $iispid -r
:
PS> & "\\dfshare\sysinternals\pssuspend.exe" $iispid
PsSuspend v1.06 - Process Suspender
Copyright โ 2001-2003 Mark Russinovich
Sysinternals
Process 49836 suspended.
PS> & "\\dfshare\sysinternals\procdump.exe" -ma 98340
ProcDump v8.2 - Sysinternals process dump utility
Copyright (C) 2009-2016 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[01:03:24] Dump 1 initiated: C:\Users\gbray\Downloads\w3wp.exe_161230_010324.dmp
[01:03:29] Dump 1 writing: Estimated dump file size is 19347 MB.
[01:05:14] Dump 1 complete: 19350 MB written in 109.8 seconds
[01:05:14] Dump count reached.
PS> & "\\dfshare\sysinternals\pssuspend.exe" $iispid -r
PsSuspend v1.06 - Process Suspender
Copyright โ 2001-2003 Mark Russinovich
Sysinternals
Process 49836 resumed.
, iissvcs, iisreset .