Dump With FREB

Adrian Jenkins

3 min readJun 2, 2022

In this article we will learn how to take FREB files and dump simultaneously.

Prerequisites

Install Failed Request Tracing Module

Install-WindowsFeature -name Web-Http-Tracing

Download ProcDump

After downloading it, do the following:

Unzip it and copy the “procdump.exe”
Create a folder called “procdump” at C drive level => “C:\procdump”
Paste the “procdump.exe” in that folder

This will be that path where FREB will find procdump executable.

Example Image:

Create a folder called “generated_dumps” at C drive level => “C:\generated_dumps”

This is where the generated dumps will be written.

Example Image:

In this example I will create a FREB rule to generate a file if a request takes at least 8 seconds. In addition to this, FREB will be configure to do a custom action if time taken trigger is met. It will generate a dump.

Go to your site/application where you want to set the FREB rule and create your rule normally.

Now we need to allow Failed Request Tracing Module to accept custom actions

Go at Server level

Configuration Editor > system.applicationHost/sites > Collection > … > Select Your Site > traceFailedRequestLogging > customActionEnabled : True

Close window and in the Actions pane click “apply”.

We just allowed Failed Request Tracing Module to do custom actions.

Now, go to your site where you created the rule:

Configuration Editor > system.webServer/tracing/traceFailedRequests > Collection > … > Select the rule that you have created

In here, fill the following attributes with the path where the executable is, the command + path where you would like files to store and with the limit of this custom action:

customActionExe : C:\procdump\procdump.exe
customActionsParams: -accepteula -ma %1% C:\generated_dumps
customActionTriggerLimit: 3 (It will generate a maximum of three dumps)

The “%1%” is vital as it will pass the PID of w3wp.exe to procdump.