During the course of various investigations, the need sometimes arises to collect Process dumps for analysis. There are various ways of doing this, using tools such as ProcDump, but I still like using ADPlus.
Unfortunately to obtain ADplus you need to download and install the Debugging Tools for Windows, which are now part and parcel with the WDK, SDK or you can use the Visual Studio debugger. Getting the average customer/end user to install that is difficult, it can involve things like change control. Due to this, I decided to try and find out what was the bare minimum needed to generate ADPlus process dumps without installing the full debugging tools for windows on an end system.
You never know when it might come in handy, and I have actually used this a couple of times since I figured it out.
The files can be downloaded here and are from the Windows 8.1 debugger rather than the newer Windows 10 version. Below are the details on what to do:
- Add user to the debug programs group:
- Start > Run > SecPol
- Expand Local Policies > User Rights Assignment
- Locate Debug Programs, right click and select properties.
- Specifically add the logged in users account to the list if not already present.
- Extract the files from the zip folder to a directory e.g. c:\temp
- Password for zip file is techwitch.
- There should be 4 files extracted: adplus.exe adplus_old.vbs, adplusext.dll and cdb.exe.
- Add the location you extracted the adplus files to the system/user paths:
- Start > Run > CMD
- Type setx path “%path%;c:\temp”
- Run Adplus:
- At a command prompt browse to the directory you extracted the files.
- Type adplus_old.vbs
- At the prompts click Yes / OK
- Type the following, adjusting the text in blue for the correct process/dump file directory:
- adplus -pn nameofprocess -crash -o c:\directoryfordumpfiles