Crash Dump Analysis Part 2: Memory Dump Files
In this series, you’ll be introduced to crash dump analysis. Crash dump analysis is the examination of a Windows Crash Dump, the byproduct of Blue Screen of Death (BSOD). In Part 1, we showed you the Windows Debugger found in the Windows SDK and how to install it. In this post, we will discuss the memory dump files in a greater depth.
How To Find Memory Dumps On Windows 7 and Windows Server 2008 R2
By default, Windows 7 is configured to automatically reboot on a system crash. Instead of the typical Blue Screen of Death (BSOD) you may have become accustomed to in older versions of the Windows, the system just performs an unannounced reboot in the middle of doing your work.
This picture shows the Startup and Recover options on a default installation of Windows Server 2008 R2. Notice that the system is configured to automatically restart. Also, there are options for the location of the dump file, and what type of memory dump file is available: Complete, Kernel, or Small.
What is the Difference Between a Complete, Kernel, and Small Memory Dump?
A complete memory dump is all of the memory in use by all processes at the time of the crash. It has the most available information within it. The kernel dump is a smaller, keeping only the items in memory from processes running in kernel mode. The small dump, (also known as a Mini-dump) is very limited in size. It will be no more than 64 KB (for a 32-bit OS) or 128 KB (64-bit OS). The small dump contains a list of processes running, drivers loaded, and the stop code. The Mini-dump is enough for the most basic troubleshooting.
Which Memory Dump Should You Use?
The size of the memory dump you’ll want to create is dependent on how much hard drive space you have, and how much RAM you have. Understand that a complete memory dump is really all the memory in use at the time of the system crash. So if you’re configuring a complete memory dump on a server with 32 GB of RAM, you will need a paging file at least a little larger than the amount of RAM, and available hard drive space to accommodate a 32 GB memory dump.
Considering the potential size of a complete memory dump, it seems prudent to configure the system for kernel mode dumps or small memory dumps, unless you need to troubleshoot a recurring problem that the smaller memory dumps are not allowing you to troubleshoot.
Another consideration about the size of the memory dump is the speed in which it is written. Since the system cannot reboot until the memory dump is completely written, if you’ve got a system that needs to be back as quickly as possible, it may benefit you to use smaller dump files.
But what is the easiest, and smallest memory dump file that will let you do BSOD troubleshooting? If what you’re looking for most is a record of the blue screens, and looking at them to get an idea of the cause, that can be accomplished with the small memory dumps.
How To Create A Memory Dump For Testing
If you would like to try doing a little testing, but you don’t have a memory dump file, you can create one without much effort. There are a couple of ways to create one. First, you can use a keyboard shortcut to force a blue screen. You can also force a system crash by using the Windows Debugger.
To Force a System Crash with the Keyboard:
- Use a PS/2 keyboard if you’re using Windows XP. Use a PS/2 or USB keyboard for later operating systems.
- Enable crash dumps through “advanced system properties”, then “startup and recovery options”.
- If you’re using Vista, Server 2003, or Server 2008, you can do this if you’ve got SP2 installed. If you don’t have SP2 installed, you can install a hotfix to enable this feature for Vista, Server 2003, or Server 2008.
- Create a new DWORD value called CrashOnCtrlScroll, set with the value 0x01 in the following location:
USB keyboard: HKEY_LOCAL_MACHINESystemCurrentControlSetServiceskbdhidParameters
PS/2 keyboard: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesi8042prtParameters
After your next reboot, you can create a system crash dump by pressing and holding the right CTRL key, then pressing scroll lock twice
To Force a System Crash with WinDbg:
- Start WinDbg.
- Begin Kernel Debugging by pressing CTRL+K, or select it from the File menu.
- Select “Local” tab, and then “connect”
- Enter the command “.crash”
- If needed, enter the command “g” (for GO)
Note: There are some limitations to connecting
Where to Find a Memory Dump File
The typical place to find a memory dump file is in the system root directory, such as “C:windows”. It has the name “Memory.dmp”. Small memory dumps are usually stored in the Mini-dump directory of the system root, like “C:WindowsMinidump”. If that folder doesn’t exist, then there haven’t been any mini-dumps yet created there. Mini dumps have the date that they happened in the file name, so there will be one for each crash saved in the mini-dump location.
If you cannot find a memory dump there, you will need to check the location by getting back into the advanced system properties. The actual name of the executable that displays that information is called “SystemPropertiesAdvanced.exe”, and if you type that into PowerShell, Cmd, or search for it from the Start Menu you will get to the configuration dialog. After clicking the “Startup and Recovery” button you can see the location of the memory dumps.
Why Is There No Memory Dump File?
If you can’t find a memory dump file, and the system is blue screening, here are some reasons that it may not be creating one:
- Creating a crash dump file is not enabled (“none” is selected in the System Failure section of the Startup and Recovery properties)
- Paging file is on a different partition from where the OS is installed
- Paging file is to small
- No paging file at all
- The system crash is happening to early in the boot process
When your system is rebooting on it’s own, or a user your supporting is reporting system crashes, you need to get your hands on the memory dump file. Check the Startup and Recovery section of the Advanced System Properties window to make sure your system is configured to save memory dumps. Add enough paging file on the same partition as the system is installed on. Then you should be able to easily find the memory dump files in either the Windows directory or the WindowsMinidump directory.
Finally, understand that the system can only save the crash dump if it’s far enough along in the boot process. In cases where the system will not boot at all, and no log file is created even though it’s configured, you’ll need to enable boot logging and/or troubleshoot the system from safe mode or an ERD Commander boot image.