Last Update: Sep 04, 2024 | Published: Jan 09, 2012
In this series, you’ll be introduced to crash dump analysis. Crash dump analysis is the examination of a Windows Crash Dump, the byproduct of Blue Screen of Death (BSOD). In Part 1, we showed you the Windows Debugger found in the Windows SDK and how to install it. In this post, we will discuss the memory dump files in a greater depth.
By default, Windows 7 is configured to automatically reboot on a system crash. Instead of the typical Blue Screen of Death (BSOD) you may have become accustomed to in older versions of the Windows, the system just performs an unannounced reboot in the middle of doing your work.
This picture shows the Startup and Recover options on a default installation of Windows Server 2008 R2. Notice that the system is configured to automatically restart. Also, there are options for the location of the dump file, and what type of memory dump file is available: Complete, Kernel, or Small.
A complete memory dump is all of the memory in use by all processes at the time of the crash. It has the most available information within it. The kernel dump is a smaller, keeping only the items in memory from processes running in kernel mode. The small dump, (also known as a Mini-dump) is very limited in size. It will be no more than 64 KB (for a 32-bit OS) or 128 KB (64-bit OS). The small dump contains a list of processes running, drivers loaded, and the stop code. The Mini-dump is enough for the most basic troubleshooting.
The size of the memory dump you’ll want to create is dependent on how much hard drive space you have, and how much RAM you have. Understand that a complete memory dump is really all the memory in use at the time of the system crash. So if you’re configuring a complete memory dump on a server with 32 GB of RAM, you will need a paging file at least a little larger than the amount of RAM, and available hard drive space to accommodate a 32 GB memory dump.
Considering the potential size of a complete memory dump, it seems prudent to configure the system for kernel mode dumps or small memory dumps, unless you need to troubleshoot a recurring problem that the smaller memory dumps are not allowing you to troubleshoot.
Another consideration about the size of the memory dump is the speed in which it is written. Since the system cannot reboot until the memory dump is completely written, if you’ve got a system that needs to be back as quickly as possible, it may benefit you to use smaller dump files.
But what is the easiest, and smallest memory dump file that will let you do BSOD troubleshooting? If what you’re looking for most is a record of the blue screens, and looking at them to get an idea of the cause, that can be accomplished with the small memory dumps.
If you would like to try doing a little testing, but you don’t have a memory dump file, you can create one without much effort. There are a couple of ways to create one. First, you can use a keyboard shortcut to force a blue screen. You can also force a system crash by using the Windows Debugger.
To Force a System Crash with the Keyboard:
After your next reboot, you can create a system crash dump by pressing and holding the right CTRL key, then pressing scroll lock twice
To Force a System Crash with WinDbg:
Note: There are some limitations to connecting
The typical place to find a memory dump file is in the system root directory, such as “C:windows”. It has the name “Memory.dmp”. Small memory dumps are usually stored in the Mini-dump directory of the system root, like “C:WindowsMinidump”. If that folder doesn’t exist, then there haven’t been any mini-dumps yet created there. Mini dumps have the date that they happened in the file name, so there will be one for each crash saved in the mini-dump location.
If you cannot find a memory dump there, you will need to check the location by getting back into the advanced system properties. The actual name of the executable that displays that information is called “SystemPropertiesAdvanced.exe”, and if you type that into PowerShell, Cmd, or search for it from the Start Menu you will get to the configuration dialog. After clicking the “Startup and Recovery” button you can see the location of the memory dumps.
If you can’t find a memory dump file, and the system is blue screening, here are some reasons that it may not be creating one:
When your system is rebooting on it’s own, or a user your supporting is reporting system crashes, you need to get your hands on the memory dump file. Check the Startup and Recovery section of the Advanced System Properties window to make sure your system is configured to save memory dumps. Add enough paging file on the same partition as the system is installed on. Then you should be able to easily find the memory dump files in either the Windows directory or the WindowsMinidump directory.
Finally, understand that the system can only save the crash dump if it’s far enough along in the boot process. In cases where the system will not boot at all, and no log file is created even though it’s configured, you’ll need to enable boot logging and/or troubleshoot the system from safe mode or an ERD Commander boot image.