Summary
Just a quick blog post that details why you may receive an “Access Denied” when running PROCDUMP and a quick fix for this scenario.
Problem Description
Unable to dump a process with PROCDUMP due to an “Access Denied” error.
Example:
ProcDump v9.0 – Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals – www.sysinternals.com
Error opening OWSTIMER.EXE (10008): Access is denied. (0x00000005, 5)
Cause
As you can see from my command window, I’m running the command prompt as “Administrator” and still seeing “access denied”. In this case, the issue is occurring because the user does not have the “Debug Programs” local security policy set. If the user running PROCDUMP does not have this policy, you will not have the required access to attach to a system process using a debugger (procdump in this example).
Debug programs
Resolution
To resolve this issue, change the local security policy and add the user running PROCDUMP inside the “Debug Programs” policy.
Example:
Conclusion
When you are involved resolving a difficult issue, the last thing you need is to troubleshoot the tools that are used to help you identity the issue. I hope this provided a quick fix and you can move onto creating and analyzing the process memory for issue at hand.
Important Notes:
- After making this change you will need to sign out of the PC and sign back in.
- In this example, I’m adding the local Administrators group which is the default setting.
Now you should be able to attach to the target process and create a memory dump without error.
Example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
c:\tools\procdump> procdump -e -t -ma owstimer.exe ProcDump v9.0 - Sysinternals process dump utility Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com Process: OWSTIMER.EXE (10008) Process image: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\OWSTIMER.EXE CPU threshold: n/a Performance counter: n/a Commit threshold: n/a Threshold seconds: n/a Hung window check: Disabled Log debug strings: Disabled Exception monitor: Unhandled Exception filter: [Includes] [Excludes] Terminate monitor: Enabled Cloning type: Disabled Concurrent limit: n/a Avoid outage: n/a Number of dumps: 1 Dump folder: C:\tools\procdump\ Dump filename/mask: PROCESSNAME_YYMMDD_HHMMSS Queue to WER: Disabled Kill after dump: Disabled Press Ctrl-C to end monitoring without terminating the process. |
Permalink
Awesome post! Keep up the great work!
Permalink
Great content! Super high-quality! Keep it up!
Permalink
Greetings! I know this is somewhat off topic but I was wondering which blog platform are you using for
this site? I’m getting tired of WordPress because I’ve had problems with hackers and
I’m looking at options for another platform. I would be fantastic
if you could point me in the direction of a good platform.
Permalink
I actually use WordPress, and with some popular add-ons you can prevent people trying to hack and make self promoting comments /wink .