1.为什么需要dump 内存
    系统经常出现各种各样的问题，这些问题，可能是本身程序设计的时候考虑的不够周全，导致的程序异常，或者系统本身的问题。那么，当系统crash或者发生exception的时候，如何获得系统的context,然后给出准确地diagnostics,然后提出resolution呢？
    我们所说的crash或者exception包括各种各样的情况，比如系统某个进程占用大量资源，某个进程low performance，某个程序crash等等。为了获得发生crash或者exception的process的context, 我们必须得到发生exception的时候，该process的context。那么可以给该process进行捕捉一个snapshot。捕捉发生exception时刻的snapshot所用的方法就是dump当时该process的内存。

2.dump内存的方法
       这里介绍一种dump内存的方法，就是windbg中的.dump。当程序发生异常时，我们可以通过该方法snapshot该process在发生exception的时候的context。
        具体做法就是：
        当program发生exception的时候，或者发生之前，我们可以将windbg attach to a specific process in which en exception will occur. 然后在windbg command window中，type g or press F5 to let the program execute.如果不出意外的话，会出现exception,然后我们我们可以用.dump command来capture the snapshot。the following section is the usage about command .dump.

.dump (Create Dump File)

The .dump command creates a user-mode or kernel-mode crash dump file.

Syntax

.dump Options FileName 
.dump /?

Parameters

Options Represents one or more of the following options

/o

Overwrites an existing dump file with the same name. If this is option not used and the there is a file with the same file name, the dump file is not written.

/f

(Kernel mode:) Creates a complete memory dump.

(User mode:) Creates a full user-mode dump. Despite their names, the largest minidump file actually contains more information than a full user-mode dump. For example, .dump /mf or .dump /ma creates a larger and more complete file than .dump /f. In user mode, .dump /m[MiniOptions] is always preferable to .dump /f.

/m[MiniOptions]

Creates a small memory dump (in kernel mode) or a minidump (in user mode). If neither /f nor /m is specified, /m is the default.

In user mode, /m can be followed with additional MiniOptions specifying extra data that to be included in the dump. If no MiniOptions are included, the dump will include module, thread, and stack information, but no additional data. You can add any of the following MiniOptions to change the contents of the dump file; they are case-sensitive.

MiniOption	Effect
a	Creates a minidump with all optional additions. The /ma option is equivalent to /mfFhut — it adds full memory data, handle data, unloaded module information, basic memory information, and thread time information to the minidump.
f	Adds full memory data to the minidump. All accessible committed pages owned by the target application will be included.
F	Adds all basic memory information to the minidump. This adds a stream to the minidump that contains all basic memory information, not just information about valid memory. This allows the debugger to reconstruct the complete virtual memory layout of the process when the minidump is being debugged.
h	Adds data about the handles associated with the target application to the minidump.
u	Adds unloaded module information to the minidump. This is available only in Windows Server 2003 and later versions of Windows.
t	Adds additional thread information to the minidump. This includes thread times, which can be displayed by using the !runaway extension or the .ttime (Display Thread Times) command when debugging the minidump.
i	Adds secondary memory to the minidump. Secondary memory is any memory referenced by a pointer on the stack or backing store, plus a small region surrounding this address.
p	Adds process environment block (PEB) and thread environment block (TEB) data to the minidump. This can be useful if you need access to Windows system information regarding the application's processes and threads.
w	Adds all committed read-write private pages to the minidump.
d	Adds all read-write data segments within the executable image to the minidump.
c	Adds code sections within images.
r	Deletes from the minidump those portions of the stack and store memory that are not useful for recreating the stack trace. Local variables and other data type values are deleted as well. This option does not make the minidump smaller (because these memory sections are simply zeroed), but it is useful if you want to protect the privacy of other applications.
R	Deletes the full module paths from the minidump. Only the module names will be included. This is a useful option if you want to protect the privacy of the user's directory structure.

These MiniOptions can only be used when creating a user-mode minidump. They should follow the /m specifier.

/u

Appends the date, time, and PID to the dump file names. This ensures that dump file names are unique.

/a

Generates dumps for all currently-debugged processes. If /a is used, the /u option should also be used to ensure that each file has a unique name.

/b[a]

Creates a .cab file. If this option is included, FileName is interpreted as the CAB file name, not the dump file name. A temporary dump file will be created, this file will be packaged into a CAB, and then the dump file will be deleted. If the b option is followed by a, all symbol and image files also will be packaged into the CAB.

/c "Comment"

Specifies a comment string that will be written to the dump file. If Comment contains spaces, it must be enclosed in double quotes. When the dump file is loaded, the Comment string will be displayed.

/xc Address

(User mode minidumps only) Adds a context record to the dump file. Address must specify the address of the context record.

/xr Address

(User mode minidumps only) Adds an exception record to the dump file. Address must specify the address of the exception record.

/xp Address

(User mode minidumps only) Adds a context record and an exception record to the dump file. Address must specify the address of an EXCEPTION_POINTERS structure which contains pointers to the context record and the exception record.

/xt ThreadID

(User mode minidumps only) Specifies the thread ID of a the system thread that will be used as the exception thread for this dump file.

/kpmf File

(Only when creating a kernel-mode Complete Memory Dump) Specifies a file that contains physical memory page data.

FileName Specifies the name of the dump file. You can specify a full path and file name or just the file name. If the file name contains spaces, FileName should be enclosed in quotation marks. If no path is specified, the current directory is used. -? Displays help for this command. This text is different in kernel mode and in user mode.

Environment

Comments

This command can be used in a variety of situations:

• During live user-mode debugging, this command directs the target application to generate a dump file, but the target application does not terminate.
• During live kernel-mode debugging, this command directs the target computer to generate a dump file, but the target computer does not crash.
• During crash dump debugging, this command creates a new crash dump file from the old one. This is useful if you have a large crash dump file and want to create a smaller one.

You can control what type of dump file will be produced:

• In kernel mode, to produce a complete memory dump, use the /f option. To produce a small memory dump, use the /m option (or no options). The .dump command cannot produce a kernel memory dump.
• In user mode, .dump /m[MiniOptions] is the best choice. Although "m" stands for "minidump", the dump files created by using this MiniOption can vary in size from very small to very large. By specifying the proper MiniOptions you can control exactly what information is included. For example, .dump /ma produces a dump with a great deal of information. The older command, .dump /f, produces a moderately large "standard dump" file and cannot be customized.

You cannot specify which process is dumped. All running processes will be dumped.

The /xc, /xr, /xp, and /xt options are used to store exception and context information in the dump file. This allows .ecxr (Display Exception Context Record) to be run on this dump file.

The following example will create a user-mode minidump, containing full memory and handle information:

0:000> .dump /mfh myfile.dmp

Handle information can be read by using the !handle extension command.