We can create a dump file from a running application or active driver crash using WinDbg. After the dump file is collected, it can be copied to another machine to analyze and debug the problem (with symbols ofcourse). Here is a quick trick to get both, the dump and symbols.
First, to get a dump file with all information we using dump command. The .dump command creates a user-mode or kernel-mode crash dump file.
Syntax (please refer to msdn for more details on the options)
.dump Options FileName
0:000> .dump /mfht c:\Dumpfile.dmp
Creating c:\Dumpfile.dmp – mini user dump
Dump successfully written
.dump command has several options, but if we want a minidump with all information we just need to use /mfht where it saves full memory (accessible committed pages), data about handles and additional thread times for !runaway and .ttime commands.
After collecting the dump file we open it on the debugging machine using WinDbg and reload the symbols again. Then we use the .dumpcab command. The .dumpcab command creates a CAB file containing the current dump file. This is supported in both user mode and kernel mode across all platforms.
.dumpcab [-a] CabName
Causes all currently loaded symbols to be included in the CAB file. For minidumps, all loaded images will be included as well. Use lml to determine which symbols and images are loaded.
The CAB file name, including extension. CabName can include an absolute or relative path; relative paths are relative to the directory in which the debugger was started. It is recommended that you choose the extension .cab.
0:001> .dumpcab -a c:\fulldump
Creating a cab file can take a VERY VERY long time. Ctrl-C can only interrupt the command after a file has been added to the cab. Adding C:\Dumpfile.dmp – added Adding c:\publicsymbols\wntdll.pdb\E06BEA155E9748BEA818E2D0DD2FED952\wntdll.pdb – added Wrote c:\downloads\fulldump
The file fulldump.cab now has the dump file and all related symbols so we can copy it to another machine, unpack, load the dumps/symbols and start a debugging session.