Just a quick blog post that details why you may receive an “Access Denied” when running PROCDUMP and a quick fix for this scenario.
Unable to dump a process with PROCDUMP due to an “Access Denied” error.
ProcDump v9.0 - Sysinternals process dump utility Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com Error opening OWSTIMER.EXE (10008): Access is denied. (0x00000005, 5)
As you can see from my command window, I’m running the command prompt as “Administrator” and still seeing “access denied”. In this case, the issue is occurring because the user does not have the “Debug Programs” local security policy set. If the user running PROCDUMP does not have this policy, you will not have the required access to attach to a system process using a debugger (procdump in this example).
To resolve this issue, change the local security policy and add the user running PROCDUMP inside the “Debug Programs” policy.
When you are involved resolving a difficult issue, the last thing you need is to troubleshoot the tools that are used to help you identity the issue. I hope this provided a quick fix and you can move onto creating and analyzing the process memory for issue at hand.
- After making this change you will need to sign out of the PC and sign back in.
- In this example, I’m adding the local Administrators group which is the default setting.
Now you should be able to attach to the target process and create a memory dump without error.
c:\tools\procdump> procdump -e -t -ma owstimer.exe ProcDump v9.0 - Sysinternals process dump utility Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com Process: OWSTIMER.EXE (10008) Process image: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\OWSTIMER.EXE CPU threshold: n/a Performance counter: n/a Commit threshold: n/a Threshold seconds: n/a Hung window check: Disabled Log debug strings: Disabled Exception monitor: Unhandled Exception filter: [Includes] * [Excludes] Terminate monitor: Enabled Cloning type: Disabled Concurrent limit: n/a Avoid outage: n/a Number of dumps: 1 Dump folder: C:\tools\procdump\ Dump filename/mask: PROCESSNAME_YYMMDD_HHMMSS Queue to WER: Disabled Kill after dump: Disabled Press Ctrl-C to end monitoring without terminating the process.