Novell Home

My Favorites

Close

Please to see your favorites.

How to get a Windows memory dump

This document (7004093) is provided subject to the disclaimer at the end of this document.

Environment

Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 2003
Microsoft Windows Vista
Microsoft Windows 7 

Situation

How to get a Windows memory dump


Resolution

The following steps are similar for all versions of Windows NT-based operating systems.


From the Start Menu, select System Settings

Select Control Panel
Select System
Select the Advanced Tab
Select Startup and Recovery
In the System Failure section, deselect the automatic restart option
In the System Failure, write debugging information section, select the desired type of memory dump from the pick list  - complete, kernel, small, etc.  If in doubt select "complete." 

Upload the zipped memory dump to ftp.novell.com/incoming and send the Novell support engineer an email that you have uploaded the file.

How to force a memory dump from a hung workstation:

In certain situations, as in the case of a non-responsive (hung) workstation, or when the workstation does not crash or hang, but an application crashes, or if an unexpected delay is encountered, it is possible to force a memory dump of a workstation.  In the case where the machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump, just to be sure there isn't still forward motion still coming to a stop.
 
Method 1:
 
Use Microsoft's LiveKD utility.
 
1. Download Microsoft's LiveKD (http://technet.microsoft.com/en-us/sysinternals/bb897415) and extract to a temporary directory.
2. Spawn an elevated Command Prompt ("Run as Administrator") and change to the LiveKD directory.
3. Prepare, but do not execute, the command line "LiveKD.exe -o c:\MyDumpName.dmp". 
Substitute your preferred dump path and file name as needed.
4. Perform the operation which will encounter the problem.
5. Wait long enough to ensure that the machine is in the midst of the problem, then quickly execute the pending LiveKD command line.
For example, if machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected 15 second delay, perhaps wait until you're at least 5 seconds into the delay before executing LiveKD.
6. LiveKD will always write a "Complete" memory dump, and so may take some time.
7. Once complete, ZIP THE DUMP FILE before moving it off the machine, to ensure that the dump file is ultimately transferred intact.
 
Method 2:
 
Use Microsoft's "CrashOnCtrlScroll" configuration and method, as described in the Microsoft article: 
"Forcing a System Crash from the Keyboard"http://msdn.microsoft.com/en-us/library/ff545499.aspx
 
1. Enable a crash dump file:
    a. Navigate to the Control Panel.
    b. Double click on the System icon.
    c. Click on the Advanced tab. 
    d. Click the Settings button in the "Startup and Recovery" section.
    e. In the "Write Debugging Information" section, select Complete Memory Dump.

    f. Deselect the "Automatically Reboot" option
2. Create the "CrashOnCtrlScroll" DWORD value of 0x00000001 under either
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters] or
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
depending on whether the machine uses a PS/2 or USB keyboard, respectively.
3. Perform the operation which will encounter the problem.
4. Wait long enough to ensure that the machine is in the midst of the problem, then force 
Windows to crash and write a  kernel-mode memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key two times. 
F or example, if machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected  15 second delay, perhaps wait until you're at least 5 seconds into the delay before forcing the dump.
5. Once complete, ZIP THE DUMP FILE before moving it off the machine, to ensure that the dump
file is transferred intact.
 
See also Microsoft KB Article 244139.http://support.microsoft.com/default.aspx?scid=kb;en-us;244139

Additional Information

If the "Complete memory dump" option is not available:

If the "Complete memory dump" option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn't possible.  e.g. The amount of physical RAM is more than 2GB, or the page file size isn't set to the size of physical memory or greater.
 
The "How to generate a kernel or a complete memory dump file in Windows Server 2008" KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what's new and different regarding obtaining a crash dump on Vista/2008, and also covers the "how to manually force a dump" topic too.  Although the document describes the possibility of enabling the "Complete" memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the "truncatememory or removememory switches in the BCDEdit.exe" approach described in the document.
 
i.e. From an elevated command prompt (i.e. "Run as administrator"), execute this command:

BCDEDIT.EXE /set {current} truncatememory 0x80000000

to have Windows ignore all the memory above 2GB after the next reboot.  Now (after reboot) the "Complete" memory dump option should become available, and the Complete dump generated won't be larger than 2GB.

To return the machine to its original memory configuration, execute this command:

BCDEDIT.EXE /deletevalue {current} truncatememory

Windows 7 Specific

When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:

If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it.  (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)
 
If there are more than 25GB, or the machine is joined to a domain (read "corporate environment"), or you're actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.
 
The Windows 7 default policy can be explicitly overridden by setting the following registry value:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:00000001


Formerly known as TID# 10084257

Change Log

EWELLS updated TID 4Aug2009, adding information on Windows 7-specific behavior.
EWELLS updated TID 19Oct2009, adding information on If the "Complete memory dump" option is not available.
EWELLS updated TID 22Jan2010, fixing a minor typo.
EWELLS updated TID 28Jan2011, adding information about LiveKD Utility

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7004093
  • Creation Date:04-AUG-09
  • Modified Date:11-DEC-12
    • NovellClient

Did this document solve your problem? Provide Feedback