How to get a complete memory dump of a process. Why do you need a blue screen of death or “instructions for interpreting a small memory dump file”

In chapter A crash dump is defined by the following parameters:

– REG_DWORD-parameter AutoReboot with meaning 0x1(option Perform automatic reboot subwindow window Properties of the system);

– REG_DWORD-parameter CrashDumpEnabled with meaning 0x0, if a memory dump is not created; 0x1 – Full memory dump; 0x2 – Kernel memory dump; 0x3 – Small memory dump (64KB);

– REG_EXPAND_SZ-parameter DumpFile with meaning %SystemRoot%\MEMORY.DMP(dump file storage location);

– REG_DWORD-parameter LogEvent with meaning 0x1(option Log event window );

– REG_EXPAND_SZ-parameter MinidumpDir with meaning %SystemRoot%\Minidump(optional);

– REG_DWORD-parameter Overwrite with meaning 0x1(option Replace existing file window );

– REG_DWORD-parameter SendAlert with meaning 0x1(option Send an administrative alert window ).

How the system creates an emergency memory file

During boot, the operating system checks the emergency creation parameters in the registry section . If at least one parameter is specified, the system generates a map of disk blocks occupied on the boot volume and stores it in memory. The system also determines which disk device controls the boot volume and calculates checksums for the image in memory and for data structures that must be integer to be able to perform I/O operations.

After a failure, the system kernel checks the integrity of the page file map, disk file, and disk control structures.. If the integrity of these structures is not violated, then the system kernel calls special disk I/O functions , designed to save a memory image after a failure. These I/O functions are self-contained and do not rely on kernel services because the programs responsible for writing the crash dump cannot make any assumptions about which parts of the system kernel or devices were damaged when a crash occurred. The system kernel writes data from memory to the paging file sector map (it does not have to usefile system).

First, the system kernel checks the status of each component involved in the dump process. This is done so that when writing directly to disk sectors, the data located outside the file is not damaged. File size should be 1 MB larger than the size of physical memory, because when information is written to, a header is created that contains the emergency signature and the values ​​of several important system kernel variables. Title occupies less than 1 MB, but the operating system can increase (or decrease) the size of the paging file by at least 1 MB.

After system boot Session Manager (Windows NT Session Manager; disk address – \WINDOWS\system32\smss.exe) initializes system files, using its own function to create each file NtCreatePagingFile. NtCreatePagingFile determines whether the file being initialized exists, and if so, whether it has a header . If there is a title, then NtCreatePagingFile sends to Session Manager special code. After that Session Manager starts the process Winlogon (Windows NT Login Program; disk address – \WINDOWS\system32\winlogon.exe), which is notified of the existence of an emergency . Winlogon starts the program SaveDump (Windows NT Memory Copy Program; disk address – \WINDOWS\system32\savedump.exe), which parses the header and determines further actions in an emergency.

If the title indicates the existence , That SaveDump copies data from a file to an emergency file whose name is specified REG_EXPAND_SZ-parameter DumpFile section . Bye SaveDump rewrites the file , the operating system does not use the part of the page file that contains the emergency . During this time, the amount of virtual memory available to the system and applications is reduced by (At the same time, messages may appear on the screen indicating a lack of virtual memory). Then SaveDump informs the memory manager that the save is complete , and he releases that part file in which it is stored , for general use.

Saving the file , program SaveDump records the creation of an emergency in the event log , for example: “The computer was rebooted after a critical error: 0x100000d1 (0xc84d90a6, 0x00000010, 0x00000000, 0xc84d90a6). Memory copy saved: C:\WINDOWS\Minidump\Mini060309-01.dmp" .

Full memory dump writes the entire contents of memory when a fatal error occurs. For this option, you must have a paging file on the boot volume, the size of which is equal to the amount of all physical RAM plus 1 MB. Default full memory is written to a file %SystemRoot%\Memory.dmp. If a new error occurs and a new complete file is created memory (or kernel memory) the previous file is replaced (overwritten). Parameter Full memory dump not available on systems running a 32-bit operating system and 2 or more RAM.

If a new error occurs and a new complete file is created memory the previous file is replaced.

Kernel memory dump writes only kernel memory, making the process of writing data to the log when the system suddenly stops proceeds faster. Depending on the amount of physical memoryin this case the page file requires 50 to 800 MB or one third of the physical memory on the boot volume. kernel memory is written to a file %SystemRoot%\Memory.dmp.

This does not include unallocated memory or memory allocated to mode programs. It only includes memory allocated to the kernel and hardware-specific layer ( HAL) V Windows 2000 and later versions of the system, as well as memory allocated for kernel mode and other kernel mode programs. In most cases this is the most preferred option. It takes up much less space compared to a full memory, while excluding only those memory sectors that are most likely not associated with the error.

When a new error occurs and a new file is created kernel memory the previous file is replaced.

Small memory dump records the smallest amount of useful information necessary to determine the cause of the problem. To create a small memory requires that the page file size be at least 2 MB on the boot volume.

Small files memory contains the following information:

– message about a fatal error, its parameters and other data;

– list of downloaded ;

– context ( PRCB) on which the failure occurred;

EPROCESS) for the process that caused the error;

– process information and kernel context ( ETHREAD) for the thread that caused the error;

– Kernel mode call stack for the thread that caused the error.

Small file memory is used when hard disk space is limited. However, due to the limited information it contains, analysis of this file may not always detect errors that were not directly caused by the thread running at the time the error occurred.

If the following error occurs and a second small file is created memory, the previous file is retained. Each additional file is given a unique name. The date is encoded in the file name. For example, Mini051509-01.dmp- this is the first file memory, created on May 15, 2009 List of all small files memory is stored in a folder %SystemRoot%\Minidump.

operating system , undoubtedly, much more reliable than previous versions - thanks to the efforts of both developers Microsoft, both hardware developers and application software developers . However, emergency situations - all kinds of failures and system crashes - are inevitable, and depending on whether theknowledge and skills in eliminating them, it depends whether he will have to spend a few minutes troubleshooting (for example, updating/debugging or reinstalling the application program causing the failure), or several hours reinstalling/configuring the operating system and application software (which does not guarantee the absence of failures and crashes in the future!).

Many administrators neglect to analyze crash dumps Windows , believing that working with them is too difficult. It’s difficult, but it’s possible: even if, for example, the analysis of one out of ten will be successful - the efforts spent on mastering the simplest techniques for analyzing emergency situations , will not be in vain!..

Instructions for interpreting the file small memory dump.

Very often you can come across questions related to the appearance blue screen of death (Blue Screen Of Death = BSOD). However, almost anyone can independently determine the cause of the error that led to the appearance of BSOD. The fact is that when a blue screen appears on the hard drive a special file is written which is called Small Memory Dump(of course, provided that its recording is allowed in the settings).

You can enable Small Dump recording as follows:

1. Click the button Start and select from the menu Settings paragraph Control Panel.

2. Double-click the icon System.

3. Open the tab Additionally and press the button.

4. On the list Writing Debug Information select Small memory dump (64 KB).

A small memory dump file records a minimum set of useful information that allows determine the cause of an unexpected computer crash. This option requires a page file on the boot volume of size at least 2 MB. On computers running Microsoft Windows 2000 or later versions of Windows, when the computer crashes unexpectedly each time a new file is created.

When the next error occurs and a second small memory dump file is created, Windows saves the previous file. Windows gives each file a separate name with a date. For example, Mini022900-01.dmp is the first memory dump file created on February 29, 2000. A list of all small memory dump files is stored in the %SystemRoot%\Minidump folder.

Tools for interpreting a small memory dump file

You can use a utility to download small memory dump files Dump Check(Dumpchk.exe). Dumpchk.exe is also used to verify that the memory dump file was created correctly. Dump Check does not require access to debug symbols. Dump Check is included in the support kit Microsoft Windows 2000 Support Tools And Microsoft Windows XP Support Tools. You can download these packages by following this linkhttp://www.microsoft.com/whdc/devtools/debugging/default.mspx

To interpret small memory dump files, you can also use the tools WinDbg or the KD.exe. Programs WinDbg and KD.exe included to the latest version of the Debugging Tools Pack for Windows.

How to open a memory dump file

To open a memory dump file, follow these steps:

1. Click the button Start, select item Execute, enter cmd command and click the button OK.
2. Go to folder "Debugging Tools for Windows". To do this, enter on the command line

cd c:\program files\debugging tools for windows

and press ENTER.

1. To load the memory dump file into the debug program, type one of the following commands and press ENTER:

windbg -y path_to_symbol -i path_to_image -z path_to_dump_file

kd-y path_to_symbol -i path_to_image -z path_to_dump_file

Memory dump file analysis

There are several commands to collect data in a dump file, including the following:

• Team !analyze -show displays the fatal error code and its parameters. The fatal error code is also known as the control error code.
• Team !analyze -v displays detailed analysis result.
• Team lm N T displays a list of the specified loaded modules. The data includes the status and path of the module.

Note. Command with extension !drivers Lists all drivers loaded on the destination computer, along with information about the memory they use. Extension !drivers not used in Windows XP and later. To display information about loaded drivers and other modules, use the command lm. Team lm N T displays information in the same format as the legacy extension !drivers.

For information about other commands and complete command syntax, see the debugging tools reference documentation. Help documentation for debugging tools is located in the file: C:\Program Files\Debugging Tools for Windows\Debugger.chm

Note. If problems arise related to With using symbols , use the utility program Symchk to verify that the required symbols are loaded correctly. Additional information about the program Symchk See the following Microsoft Knowledge Base article:

311503 (http://support.microsoft.com/kb/311503/) Retrieving debug symbol files from the Microsoft symbol server

Hello friends, today we will discuss an interesting topic that will help you in the future when a blue screen of death (BSoD) appears.

Like me, many other users had to observe the appearance of a screen with a blue background on which something was written (white on blue). This phenomenon indicates a critical problem, both in software, for example, a driver conflict, and in a physical malfunction of some computer component.

I recently got a blue screen issue in Windows 10 again, but I quickly got rid of it and will tell you about it soon.

So, most of the users are not aware that BSoD can be analyzed to later understand the critical error issues. For such cases, Windows creates special files on the disk, and we will analyze them.

There are three types of memory dump:

Full memory dump– this function allows you to completely save the contents of RAM. It is rarely used, because imagine that you have 32 GB of RAM, with a full dump, all this volume will be stored on disk.

Core dump– saves kernel mode information.

Small memory dump– saves a small amount of error information and loaded components that were present at the time the system malfunction occurred. We will use this type of dump because it will give us enough information about the BSoD.

The location of both the small and full dump is different, for example, the small dump is located in the following path: %systemroot%\minidump.

The full dump is here: %systemroot%.

There are various programs for analyzing memory dumps, but we will use two. The first is Microsoft Kernel Debuggers, as the name suggests, a utility from Microsoft. You can download it from the official website. The second program is BlueScreenView, a free program, download from here.

Analyzing a Memory Dump Using Microsoft Kernel Debuggers

For different versions of systems you need to download a different type of utility. For example, for a 64-bit operating system, a 64-bit program is needed, for a 32-bit operating system, a 32-bit version is needed.

That's not all, you need to download and install the package of debugging symbols needed for the program. It's called Debugging Symbols. Each version of this package is also downloaded under a specific OS, first find out what system you have, and then download. So that you don’t have to look for these symbols anywhere, here is the download link. The installation should preferably be done in this path: %systemroot%\symbols.

Now you can launch our debugger, the window of which will look like this:

Before analyzing the dumps, we will configure something in the utility. First, we need to tell the program where we installed the debugging symbols. To do this, click on the “File” button and select the “Symbol File Path” item, then specify the path to the symbols.

The program allows you to extract symbols directly from the web, so you don't even have to download them (sorry to those who have already downloaded them). They will be taken from a Microsoft server, so everything is secure. So, you need to open “File” again, then “Symbol File Path” and enter the following command:

SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols

Thus, we indicated to the program that the symbols should be taken from the network. Once we have done this, click “File” and select “Save Workspace”, then click OK.

That's all. We have configured the program in the right way, now we begin to analyze memory dumps. In the program, press the button "File", Then "Open Crash Dump" and select the desired file.

Kernel Debuggers will begin analyzing the file and then output a result about the cause of the error.

In the window that appears, you can enter commands. If we enter !analyze –v, then we will get more information.

That's all with this program. To stop the debugger, select "Debug" and the "Stop Debugging" item.

Analyzing a memory dump using BlueScreenView

Download the program from the link above and install. After launching the utility, you need to configure it. Go to the parameters: “Settings” - “Advanced settings”. A small window will open with a couple of items. In the first paragraph, you need to indicate the location of the memory dumps. They are usually located in the path C:\WINDOWS\Minidump. Then just click the "Default" button.

What can you see in the program? We have menu items, a part of the window with the names of the dump files, and the second part of the window - the contents of the memory dumps.

As I said at the beginning of the article, dumps can store drivers, the screenshot of the “screen of death” itself, and other useful information that may be useful to us.

So, in the first part of the window, where the dump files are, select the memory dump we need. In the next part of the window we look at the contents. Drivers located in the memory stack are marked in reddish color. They are precisely the cause of the blue screen of death.

On the Internet you can find everything about the error code and driver that may be to blame for BSoD. To do this, click “File”, and then “Find error code + Driver in Google”.

You can display only the drivers that were present at the time the error occurred. To do this, click “Settings” - “Bottom window mode” - “Only drivers found in the crash stack”. Or press the F7 key.

To show the BSoD screenshot, press F8.

To show all drivers and files, press F6.

Well, that's all. Now you know how to find out about the Blue Screen of Death problem, and if something happens, find a solution on the Internet or on this site. You can offer your error codes, and I will try to write for each article to solve the problem.

Also don't forget to ask questions in the comments.

By and large, you, as a user, should not be interested in a memory dump. This is just information about a system failure, which ideally should be sent to Microsoft developers to find and fix critical errors. If you do not plan to engage in such charity, then you can disable the dump.

Disabling memory dump will not affect system performance in any way. When you use your computer, the system does not access the dump, whether it is turned on or not. Recording occurs only when Windows is “brought” to BSOD (blue screen). It lasts a couple of seconds at most.

Types of dump

For general development, let's get acquainted with the types of dump. There are three of them: small dump, core dump and large. A small dump stores the most important information about the problem. Developers literally have to piece it together bit by bit. For a small dump you need to allocate 2 MB of virtual memory (swap file).

Core dump– the most common type of dump. This option is usually the default. It records all the memory that is allocated to the core - the state of working drivers and data on the hardware-dependent level. For it you need to allocate about 30% of the total amount of RAM. For example, if you have 2 GB DDR, then allocate about 700 MB for the swap file.

A full dump records the entire contents of RAM. Accordingly, for it to work, you will have to allocate the same volume to the paging file as RAM. We need a full dump for hibernation mode, when all data from RAM is loaded onto the hard drive.

In Windows 7, the dump parameters are hidden quite deeply. Enter in the search bar in the menu " Start" word " system", For example.

Select result " System" A window will open. There is a list of options at the top right, select the last one - “ Advanced System Settings».

Errors very often occur in Windows OS, even in the case of a “clean” system. If ordinary program errors can be solved (a message about a missing component appears), then critical errors will be much more difficult to fix.

What is a memory dump in Windows

To solve problems with the system, a crash memory dump is usually used - this is a photo part or all of the RAM and placing it on a non-volatile medium (hard drive). In other words, the contents of RAM are fully or partially copied to the media, and the user can analyze the memory dump.

There are several types of memory dumps:

Small dump(Small Memory Dump) – saves a minimum amount of RAM, which contains information on critical errors (BSoD) and components that were loaded during system operation, for example, drivers, programs. MiniDump is stored in the path C:\Windows\Minidump.

Full dump(Complete Memory Dump) – the full amount of RAM is saved. This means that the file size will be equal to the amount of RAM. If there is little disk space, it will be problematic to save, for example, 32 GB. There are also problems with creating a memory dump file larger than 4 GB. This type is used very rarely. Stored at C:\Windows\MEMORY.DMP.

Dump kernel memory– only information related to the system core is saved.

When the user gets to analyzing the error, he only needs to use minidamp (small dump). But before this, it must be turned on, otherwise the problem will not be recognized. Also, to more effectively identify a crash, using a full memory snapshot is preferable.

Information in the registry

If you look in the Windows registry, you can find some useful snapshot settings. Click the Win+R key combination and enter the command regedit and open the following branches:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

In this branch the user will find the following parameters:

• AutoReboot– enable or disable reboot after creating a Blue Screen of Death (BSoD).
• DumpFile– name of dump types and location.
• CrashDumpEnabled– the number of the file being created, for example, the number 0 – the dump is not created; 1 – creating a full dump; 2 – creating a core dump; 3 – creating a small dump.
• DumpFilters– the option allows you to add new functions before creating a snapshot. For example, file encryption.
• MinidumpDir– the name of the small dump and its location.
• LogEvent– activation of recording information in the system log.
• MinidumpsCount– set the number of small dumps to be created. (Exceeding this number will destroy old files and replace them).
• Overwrite– function for a full or system dump. When creating a new photo, the previous one will always be replaced with a new one.
• DedicatedDumpFile– creating an alternative image file and specifying its path.
• IgnorePagefileSize– used for temporary snapshot location, without using a swap file.

How it works

If a failure occurs, the system completely stops its operation and, if dumping is active, it will be written to a file placed on disk. information about the problem that has arisen. If something happened to the physical components, then an emergency code will work, and the hardware that failed will make some changes, which will certainly be reflected in the snapshot.

Usually the file is saved in a hard disk block allocated for the paging file; after a BSoD appears, the file is overwritten in the type that the user himself configured (Small, Full or Core Dump). Although, in modern operating systems, the participation of the paging file is not necessary.

How to enable dumps

IN Windows 7:

IN Windows 8 and 10:

Here the process is a little similar, you can get into the system information in the same way as in Windows 7. In “Ten”, be sure to open “ This computer", click on the free space with the right mouse button and select " Properties" Another way to get there is through the Control Panel.

Second option for Windows 10:

It should be noted that in new versions of Windows 10 new items have appeared that were not in the “seven”:

• Small dump memory 256 KB - minimum failure data.
• Active dump- appeared in the tenth version of the system and saves only the active memory of the computer, the system kernel and the user. Recommended for use on servers.

How to delete a dump

Just go to the directory where the memory snapshots are stored and simply delete them. But there is another way to remove it - using the Disk Cleanup utility:

If no items were found, the dumps may not have been enabled.

Even if you once enabled them, some system optimization utilities you use can easily disable some functionality. Often a lot of things are disabled when using SSD drives, since repeated read and write procedures greatly harm the health of the drive.

Memory dump analysis using WinDbg

Download this program from the official Microsoft website in step 2, where it is described “ InstallationWDK" - https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk.

To work with the program you will also need a special package of debugging symbols. It is called Debugging Symbols, previously it could be downloaded from the Microsoft website, but now they have abandoned this idea and you will have to use the File program function - “ Symbol File Path", where you should enter the following line and click OK:

set _NT_SYMBOL_PATH=srv*DownstreamStore*https://msdl.microsoft.com/download/symbols

If it doesn't work, try this command:

SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols

Click “File” again and select the “Save Workspace” option.

The utility is configured. All that remains is to specify the path to the memory dump files. To do this, click File and click the option “ OpenCrashDump" The location of all dumps is indicated at the beginning of the article.

After selection, the analysis will end and the problematic component will be automatically highlighted. To obtain more information in the same window, you can enter the following command: !analyze –v

Analysis with BlueScreenView

You can download the tool for free from this site - http://www.nirsoft.net/utils/blue_screen_view.html. Installation does not require any skills. Only used on Windows 7 and higher.

We launch and configure. Click “Options” – “ Extra options"(Advanced Options). Select the first item " Load MiniDumps from this folder"and indicate the directory - C:\WINDOWS\Minidump. Although you can simply click the “Default” button. Click OK.

The dump files should appear in the main window. It can be either one or several. To open it, just click on it with the mouse.

The bottom of the window will display the components that were running at the time of the failure. The person responsible for the accident will be highlighted in red.

Now click “File” and select, for example, the item “ Find in Google error code + driver" If you find the driver you need, install and restart your computer. Perhaps the error will disappear.