How to get a Windows memory dump

  • 7004093
  • 04-Aug-2009
  • 31-May-2018

Environment

Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 2003
Microsoft Windows Vista
Microsoft Windows 7 
Microsoft Windows 10

Situation

How to get a Windows memory dump


Resolution

The following steps are similar for all versions of Windows NT-based operating systems.

Launch the Control Panel
Select System
Select Advanced system settings
Select the Advanced tab
Click the Settings button under Startup and Recovery
In the System Failure section, deselect the automatic restart option
Under the Write debugging information section, select the desired type of memory dump from the pick list  - Small, Kernel, Complete, etc.  If in doubt, select "Complete memory dump." 

Note: If the "Complete" option does not appear in the drop-down list:

  1. Open the registry editor (regedit.exe).
  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
  3. Double-click the value "CrashDumpEnabled" and set/change the data to "1".

Upload the zipped memory dump to ftp.novell.com/incoming and send the Novell support engineer an email that you have uploaded the file.

How to force a memory dump from a hung workstation:

In certain situations, as in the case of a non-responsive (hung) workstation, or when the workstation does not crash or hang, but an application crashes, or if an unexpected delay is encountered, it is possible to force a memory dump of a workstation.  In the case where the machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump, just to be sure there isn't still forward motion still coming to a stop.
 
Method 1:
 
Use Microsoft's LiveKD utility.
 
1. Open https://msdn.microsoft.com/en-US/windows/desktop/bg162891 and click the "Install SDK" link for "Windows 10 1803 SDK".
2. Save winsdksetup.exe to a local directory.
3. Run winsdksetup.exe. Accept the default installation path of "C:\Program Files(x86)\Windows Kits\10\".
4. At the "Select the features you want to install" page, choose at least "DebuggingTools for Windows".  You should de-select all other features to minimize download time and installation footprint, unless you do want to install any of the other components.
5. Open https://technet.microsoft.com/en-us/sysinternals/bb897415.aspx and click on the "Download LiveKd" link.
6. Save the LiveKD.zip file to a local directory.
7. Extract the LiveKD.zip file to the "C:\Program Files(x86)\Windows Kits\10\Debuggers\x64" subdirectory.
8. Open a "Run as Administrator" command prompt, and cd to the "C:\Program Files(x86)\Windows Kits\10\Debuggers\x64" subdirectory. 
9. Run "livekd.exe -o memory.dmp". When asked about setting the _NT_SYMBOL_PATH directory to the Microsoft symbol server, choose the "y" option. Accept the default location for the symbols. The memory dump will be written to the current directory.
10. Repeat step 9, only this time, use the command line "livekd.exe -m -okernel.dmp".  This writes an alternative dump which might be more successful if the complete dump runs into any consistency issues.
11. Zip the two dump files together and upload to ftp://ftp.novell.com/incoming/ for further analysis. 

Note if the version of Windows is old enough that the Windows 10 SDK does not permit installing on that version of Windows, these same steps can be used with the "Windows 8.1 SDK" available for download in the "Earlier Releases" section of the Microsoft Windows SDK download page.  You will just need to expect and adjust for the SDK installation path being "8.1" rather than "10".

 
Method 2:
 
Use Microsoft's "CrashOnCtrlScroll" configuration and method, as described in the Microsoft article: 
"Forcing a System Crash from the Keyboard"http://msdn.microsoft.com/en-us/library/ff545499.aspx
 
1. Enable a crash dump file:
    a. Open the Windows Control Panel.
    b. Click on the System icon.
    c. Click on the Advanced System Settings link. 
    d. In the "System Properties" pane, Click the "Settings..." button in the "Startup and Recovery" section.
    e. In the "Write Debugging Information" section, select "Complete memory dump".

    f. Deselect the "Automatically Restart" option
2. Create the "CrashOnCtrlScroll" DWORD value of 0x00000001 under either
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters] or
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
depending on whether the machine uses a PS/2 or USB keyboard, respectively.
3. Perform the operation which will encounter the problem.
4. Wait long enough to ensure that the machine is in the midst of the problem, then force 
Windows to crash and write a  kernel-mode memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key two times. 
For example, if machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected  15 second delay, perhaps wait until you're at least 5 seconds into the delay before forcing the dump.
5. Once complete, ZIP THE DUMP FILE before moving it off the machine, to ensure that the dump 
file is transferred intact.
 
See also Microsoft KB Article 244139.http://support.microsoft.com/default.aspx?scid=kb;en-us;244139

Additional Information

If the "Complete memory dump" option is not available:

If the "Complete memory dump" option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn't possible.  e.g. The amount of physical RAM is more than 2GB, or the page file size isn't set to the size of physical memory or greater.
 
The "How to generate a kernel or a complete memory dump file in Windows Server 2008" KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what's new and different regarding obtaining a crash dump on Vista/2008, and also covers the "how to manually force a dump" topic too.  Although the document describes the possibility of enabling the "Complete" memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the "truncatememory or removememory switches in the BCDEdit.exe" approach described in the document.
 
i.e. From an elevated command prompt (i.e. "Run as administrator"), execute this command:

BCDEDIT.EXE /set {current} truncatememory 0x80000000

to have Windows ignore all the memory above 2GB after the next reboot.  Now (after reboot) the "Complete" memory dump option should become available, and the Complete dump generated won't be larger than 2GB.

To return the machine to its original memory configuration, execute this command:

BCDEDIT.EXE /deletevalue {current} truncatememory

Windows 7 Specific

When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:

If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it.  (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)
 
If there are more than 25GB, or the machine is joined to a domain (read "corporate environment"), or you're actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.
 
The Windows 7 default policy can be explicitly overridden by setting the following registry value:
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AlwaysKeepMemoryDump"=dword:00000001


Formerly known as TID# 10084257

Change Log

EWELLS updated TID 4Aug2009, adding information on Windows 7-specific behavior.
EWELLS updated TID 19Oct2009, adding information on If the "Complete memory dump" option is not available.
EWELLS updated TID 22Jan2010, fixing a minor typo.
EWELLS updated TID 28Jan2011, adding information about LiveKD Utility
EWELLS updated TID 16Apr2018, updated and cleaned up content, no substantive changes.
EWELLS updated TID 31May2018, updated steps for LiveKD per https://bugzilla.novell.com/show_bug.cgi?id=1078315#c63