Memory dumps

memory dump records all the contents of system memory or debugging information when your computer stops unexpectedly( known as a “blue screen,” system crash, or bug check)

There are 3 dumps can generate

Kernel memory dump (Between150MB and 2GB)
Small memory dump (64 KB)
Complete memory dump(Physcical RAM+1MB)

Kernel memory dump
A kernel memory dump records only the kernel memory.For 32-bit systems, kernel memory is usually between150MB and 2GB. Additionally, on Windows 2003 and Windows XP, the page file must be on the boot volume. Otherwise, a memory dump cannot be created.

Small memory dump
A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly.

This dump file type includes the following information:
•The Stop message and its parameters and other data
•A list of loaded drivers
•The processor context (PRCB) for the processor that stopped
•The process information and kernel context (EPROCESS) for the process that stopped
•The process information and kernel context (ETHREAD) for the thread that stopped
•The Kernel-mode call stack for the thread that stopped
Complete memory dump
A complete memory dump may contain data from processes that were running when the memory dump was collected.

If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB).

Configure the dump type
1.Click Start, and then click Control Panel.
2.Click Performance and Maintenance, and then click System.
3.On the Advanced tab, click Settings under Startup and Recovery.
NOTE: You must restart Windows in order for your changes to take affect.

Registry location

The default path is C:\Windows\MEMORY.DMP or %SystemRoot%\MEMORY.DMP.

Change Dump File Location in Startup and Recovery
Right click on the Computer button on the dark right side and click on Properties Advanced system settings
Under the Advanced tab, click on the Settings button under Startup and Recovery.
In the Write debugging information list

Note:The default path is C:\Windows\Minidump or %SystemRoot%\Minidump.

Using Command
Open a elevated command prompt
wmic RECOVEROS get DebugFilePath ; To see What the Current Default Dump File Location is Set To
wmic RECOVEROS set DebugFilePath = “file path” ;To Change the Default Dump File Location

Tools to read the small memory dump file
Dumpchk is a command-line utility you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols.

You can download debugging tools for Windows products from the following Microsoft Web site:

Dumpchk has the following command-line switches:
   DUMPCHK [options] <CrashDumpFile>

     -? Display the command syntax.

     -p Prints the header only (with no validation).

     -v Specifies verbose mode.

     -q Performs a quick test. Not available in the Windows 2000.
    Additional switches that are only available in Windows 2000 Dumpchk.exe version:
    -c Do dump validation.

    -x Extra file validation. Takes several minutes.

    -e Do dump exam.

    -y <Path> Set the symbol search path for dump exam.
       If the symbol search path is empty, the CD-ROM
       is used for symbols.

    -b <Path> Set the image search path for dump exam.
       If the symbol search path is empty, <SystemRoot>\system32
       is used for symbols.

    -k <File> Set the name of the kernel to File.

    -h <File> Set the name of the hal to File.
Open the dump file
1.Click Start, click Run, type cmd, and then click OK.
2.Change to the Debugging Tools for Windows folder. To do this, type the following at the command prompt, and then press ENTER:
cd c:\program files\debugging tools for windows
3.To load the dump file into a debugger, type one of the following commands, and then press ENTER:
windbg -y SymbolPath -i ImagePath -z DumpFilePath
kd -y SymbolPath -i ImagePath -z DumpFilePath

The following table explains the use of the placeholders that are used in these commands.
Placeholder  Explanation
SymbolPath  Either the local path where the symbol files have been downloaded or the symbol server path, including a cache folder. Because a small memory dump file contains limited information, the actual binary files must be loaded together with the symbols for the dump file to be correctly read.

ImagePath  The path of these files. The files are contained in the I386 folder on the Windows XP CD-ROM. For example, the path may be C:\Windows\I386.  

DumpFilePath  The path and file name for the dump file that you are examining.



Posted on August 27, 2013, in Uncategorized, Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: