How to collect KSWS dumps [Kaspersky Security for Windows Server]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Some issues with KSWS/KESS/KICS4Nodes may require a process dump to analyze. It is fairly easy to collect. 

Crash dumps

KSWS/KESS/KICS4Nodes does not create crash dumps by default. It should be enabled before reproducing the issue.

Using KSC console

1. Open KSC console and navigate to the affected server.
2. Open its properties.
3. Switch to the Applications tab.
4. Open KSWS properties.
5. In the new window navigate to the Malfunction diagnosis tab.
6. Mark Create dump file checkbox.
7. Specify Dump file folder.

Using KSWS command line

1. Start elevated command prompt.

2. Execute KAVSHELL DUMP command. More info about the syntax is here https://support.kaspersky.com/KSWS/11/en-US/146721.htm.

   Example where automatic dumps will be saved to C:\Dumps

   KAVSHELL DUMP /ON /F:"C:\Dumps"

Manual dumps

Manual dump files are usually required when the process does not crash, just hangs or consumes a large amount of CPU time. There are two ways to collect manual dumps. Keep in mind that there are multiple executables, and we need all dumps from all of them. There are always one kavfs.exe and at least one kavfswp.exe (number depends on load and settings).

Using Windows Task Manager

1. Start Task Manager
2. Switch to the Details tab
3. Right-click on the image name
4. Select Create dump file
5. Repeat for every running KSWS/KESS/KICS4Nodes process

Using KSWS command line

1. Start an elevated command prompt.

2. Execute KAVSHELL DUMP command. More info about the syntax is here https://support.kaspersky.com/KSWS/11/en-US/146721.htm.

   Example where process with ID 1234 is dumped to C:\Dumps

   KAVSHELL DUMP /SNAPSHOT /F:C:\Dumps /P:1234