Access Denied when running PROCDUMP

Summary

Just a quick blog post that details why you may receive an “Access Denied” when running PROCDUMP and a quick fix for this scenario.

Problem Description

Unable to dump a process with PROCDUMP due to an “Access Denied” error.

Example:

ProcDump v9.0 - Sysinternals process dump utility

Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards

Sysinternals - www.sysinternals.com

Error opening OWSTIMER.EXE (10008):

Access is denied. (0x00000005, 5)

Cause

As you can see from my command window, I’m running the command prompt as “Administrator” and still seeing “access denied”. In this case, the issue is occurring because the user does not have the “Debug Programs” local security policy set. If the user running PROCDUMP does not have this policy, you will not have the required access to attach to a system process using a debugger (procdump in this example).

Debug programs

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/debug-programs

Resolution

To resolve this issue, change the local security policy and add the user running PROCDUMP inside the “Debug Programs” policy.

Example:

Conclusion

When you are involved resolving a difficult issue, the last thing you need is to troubleshoot the tools that are used to help you identity the issue. I hope this provided a quick fix and you can move onto creating and analyzing the process memory for issue at hand.

Important Notes:

  • After making this change you will need to sign out of the PC and sign back in.
  • In this example, I’m adding the local Administrators group which is the default setting.

Now you should be able to attach to the target process and create a memory dump without error.

Example:

c:\tools\procdump> procdump -e -t -ma owstimer.exe
ProcDump v9.0 - Sysinternals process dump utility
Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com


Process: OWSTIMER.EXE (10008)
Process image: C:\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\16\BIN\OWSTIMER.EXE

CPU threshold: n/a
Performance counter: n/a
Commit threshold: n/a
Threshold seconds: n/a
Hung window check: Disabled
Log debug strings: Disabled
Exception monitor: Unhandled


Exception filter: 
[Includes]
 * 
[Excludes]

Terminate monitor: Enabled
Cloning type: Disabled
Concurrent limit: n/a
Avoid outage: n/a
Number of dumps: 1
Dump folder: C:\tools\procdump\
Dump filename/mask: PROCESSNAME_YYMMDD_HHMMSS
Queue to WER: Disabled
Kill after dump: Disabled

Press Ctrl-C to end monitoring without terminating the process.

Leave a Reply