memory dump

By -
The debugging information can be written to different file formats (also known as memory dump files) when your computer stops unexpectedly because of a Stop error (also known as a "blue screen," system crash, or bug check). You can also configure Windows not to write debugging information to a memory dump file.

Windows can generate any one of the following memory dump file types:
  • Complete memory dump
  • Kernel memory dump
  • Small memory dump (64 KB)

Complete memory dump

A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected.

If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB).

If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten.

Notes
  • In Windows Vista, Windows 7, Windows Server 2008 and in Windows Server 2008 R2, the paging file can be on a partition that differs from the partition on which the operating system is installed. 
  • In Windows Vista and Windows Server 2008, to put a paging file on another partition, you must create a new registry entry that is named DedicatedDumpFile. You can define the size of the paging file by using a new registry entry that is named DumpFileSize.
    • For more information about how to do this, visit the following Microsoft Web site:
      969028 How to generate a kernel or a complete memory dump file in Windows Server 2008

  • In Windows 7 and Windows Server 2008 R2, to put a paging file on another partition, it is not mandatory to use DedicatedDumpFile registry entry.
  • The Complete memory dump option is not available on computers that are running a 32-bit operating system and that have 2 gigabytes (GB) or more of RAM. For more information, see the Specify what
 

Kernel memory dump

A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly. You must have a pagefile large enough to accommodate your kernel memory. For 32-bit systems, kernel memory is usually between150MB and 2GB. Additionally, on Windows 2003 and Windows XP, the page file must be on the boot volume. Otherwise, a memory dump cannot be created.

This dump file does not include unallocated memory or any memory that is allocated to User-mode programs. It includes only memory that is allocated to the kernel and hardware abstraction layer (HAL) in Windows 2000 and later, and memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this dump file is the most useful. It is significantly smaller than the complete memory dump file, but it omits only those parts of memory that are unlikely to have been involved in the problem.

If a second problem occurs and another kernel memory dump file (or a complete memory dump file) is created, the previous file is overwritten when the 'Overwrite any existing file' setting is checked.


Small memory dump

A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 and later create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.

This dump file type includes the following information:
  • The Stop message and its parameters and other data
  • A list of loaded drivers
  • The processor context (PRCB) for the processor that stopped
  • The process information and kernel context (EPROCESS) for the process that stopped
  • The process information and kernel context (ETHREAD) for the thread that stopped
  • The Kernel-mode call stack for the thread that stopped
This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name. The date is encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder.

Configure the dump type

To configure startup and recovery options (including the dump type), follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, and then click Control Panel.
  2. Click Performance and Maintenance, and then click System.
  3. On the Advanced tab, click Settings under Startup and Recovery.
NOTE: You must restart Windows in order for your changes to take affect.

Tools for the various dump types

You can load complete memory dumps and kernel memory dumps with standard symbolic debuggers, such as I386kd.exe. I386kd.exe is included with the Windows 2000 Support CD-ROM.

Load small memory dumps by using Dumpchk.exe. Dumpchk.exe is included with the Support Tools for Windows 2000 and Windows XP. You can also use Dumpchk.exe to verify that a memory dump file has been created correctly.

For more information about how to use Dumpchk.exe in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
315271  How to use Dumpchk.exe to check a memory dump file
For more information about how to use Dumpchk.exe in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
156280  How to use Dumpchk.exe to check a memory dump file
For more information about Windows debugging tools, visit the following Microsoft Web site:




Comments

Post a Comment

Popular posts from this blog

Boot configuration Data Store --BCDEdit /set

By -
The  BCDEdit /set  command sets a boot entry option value in the Windows boot configuration data store (BCD). Use the  BCDEdit /set  command to configure specific boot entry elements, such as kernel debugger settings, data execution protection (DEP) and processor address extension (PAE) options, and to load alternate hardware abstraction layer (HAL) and kernel files. You can use these boot entry options when you are testing and debugging your driver for Windows Vista, Windows 7, and later versions of Windows. bcdedit /set [{ID}] datatype value Parameters [ { ID }] The  { ID }  is the GUID that is associated with the boot entry. If you do not specify an  { ID } , the command modifies the current operating system boot entry. If a boot entry is specified, the GUID associated with the boot entry must be enclosed in braces  { } . To view the GUID identifiers for all of the active boot entries, use the  bcdedit /enum  command. datatype value The fol
Read more

ADSI Edit

By -
Image
ADSI Edit (adsiedit.msc) Updated: March 19, 2010 Applies To: Windows SBS 2008, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2 Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. This topic includes the following sections: Installing ADSI Edit Using ADSI Edit
Read more

Userenv logging (User Environment logging)

By -
When you enable userenv logging, you can perform debug logging of the user profile and the system policy processes. Userenv log files also contain information about the status of each Group Policy extension, such as Application Deployment, Security, and Folder Redirection. Userenv log files reveal what is occurring in the background as a user logs on   Userenv.log file located in the %SystemRoot%\Debug\UserMode folder Userenv log files contains information about the following: Group Policy settings that are not processed or not applied as expected Folder redirection that does not occur Profile or registry hive load, unload, or deletion failures Logon script, or script not applied as expected Default behaviors occurring because a slow link was detected Roaming profile issues Slow logon issues Whether a given GPO is accessible, and if not, why access was denied. The name of the domain controller that is accessing SYSVOL. The Userenv log has a maximum size of 1 megabyt
Read more