Collect Process Crashdumps on Windows for Sfc Process

Available Languages

Download Options

  • PDF     (489.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (623.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (403.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 24, 2025
Document ID:222893

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to collect Process crashdumps on Windows for sfc process.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Endpoint connector
    • Command Prompt Windows

    Componenets Used

    This document is not restricted to software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Problem

    • Cisco Secure endpoint application can go to a disabled or disconnected state due to process crash of sfc.exe, which could be related to unexpected windows shutdown or any other activity on windows.
    • Windows activates a debugging tool configured in the AeDebug registry values. Any program can be selected in advance as the tool to use in this situation. The chosen program is referred to as the postmortem debugger.

    Solution

    Download Procdump as the (AeDebug) postmortem debugger from sysinternals suite.

    Extract Procdump in c drive and create Dumps folder for crashdump collection as shown:

    Create Dumps Folder

    Set Procdump as AeDebugger:

    Procdump as aedebugger

    How to Use:

    • Launch CMD as Administrator.
    • Change to the directory where you unpacked procdump tool.
    • Command example: procdump64.exe -ma <PID | Process Name> or procdump64.exe -ma -i C:\Dumps

    Example for sfc.exe:

    procdump64.exe -accepteula -ma -e -x  c:\install %ProgramFiles%\Cisco\AMP\8.2.3.30119\sfc.exe

    It saves the crashdumps in the Dumps folder as shown. Collect and share it for analysis:

    Dumps

    To uninstall procdump use: procdump64.exe -u

    Uninstall procdump

    note-icon

    Note: Crash Dumps can consume large space on the disk and procdump can be stopped once collection is done.

    Although, you can also use the workaround to compress the size of the folder:

    1- Navigate to properties of the Dumps folder and check original size of the folder on the disk as shown :

    Dumps Folder Compression

    Size on Disk Before

    2- Navigate to Advanced option and enable compression and apply which takes several minutes:

    Advanced Compression

    3- In the end, you can see the folder size reduces to nearly half the orginal size as shown:

    Size on Disk After

    4- You can also use this command on Command prompt to achieve the same:

    compact /c /s:c:\install

    Revision History

    Revision Publish Date Comments
    1.0
    24-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Naveen Ojha
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products