Windows crash dump. What is a memory dump? Program for removing RAM dump

In chapter crash dump is detected the following parameters:

REG_DWORD-parameter AutoReboot with meaning 0x1(option Perform automatic reboot subwindow window Properties of the system);

REG_DWORD-parameter CrashDumpEnabled with meaning 0x0, if a memory dump is not created; 0x1Full memory dump; 0x2Kernel memory dump; 0x3Small memory dump (64KB);

REG_EXPAND_SZ-parameter DumpFile with meaning %SystemRoot%\MEMORY.DMP(dump file storage location);

REG_DWORD-parameter LogEvent with meaning 0x1(option Log event window );

REG_EXPAND_SZ-parameter MinidumpDir with meaning %SystemRoot%\Minidump(optional);

REG_DWORD-parameter Overwrite with meaning 0x1(option Replace existing file window );

REG_DWORD-parameter SendAlert with meaning 0x1(option Send an administrative alert window ).

How the system creates an emergency memory file

During boot, the operating system checks the emergency creation parameters in the registry section . If at least one parameter is specified, the system generates a map of disk blocks occupied on the boot volume and stores it in memory. The system also determines which disk device controls the boot volume and calculates checksums for the image in memory and for data structures that must be integer to be able to perform I/O operations.

After a failure, the system kernel checks the integrity of the page file map, disk file and disk control structures. If the integrity of these structures is not violated, then the system kernel calls special disk I/O functions , designed to save a memory image after a failure. These I/O functions are self-contained and do not rely on kernel services because the programs responsible for writing the crash dump cannot make any assumptions about which parts of the system kernel or devices were damaged when a crash occurred. The system kernel writes data from memory to the paging file sector map (it does not have to usefile system).

First, the system kernel checks the status of each component involved in the dump process. This is done so that when writing directly to disk sectors, the data located outside the file is not damaged. File size should be 1 MB larger size physical memory, because when information is written to, a header is created that contains the emergency signature and the values ​​of several important system kernel variables. Title occupies less than 1 MB, but the operating system can increase (or decrease) the size of the paging file by at least 1 MB.

After system boot Session Manager (Windows NT Session Manager; disk address – \WINDOWS\system32\smss.exe) initializes system files, using its own function to create each file NtCreatePagingFile. NtCreatePagingFile determines whether the file being initialized exists, and if so, whether it has a header . If there is a title, then NtCreatePagingFile sends to Session Manager special code. After that Session Manager starts the process Winlogon (Windows NT Logon Program; disk address – \WINDOWS\system32\winlogon.exe), which is notified of the existence of an emergency . Winlogon starts the program SaveDump (Copy saving program Windows memory NT; disk address – \WINDOWS\system32\savedump.exe), which parses the header and determines further actions in an emergency.

If the title indicates the existence , That SaveDump copies data from a file to an emergency file whose name is specified REG_EXPAND_SZ-parameter DumpFile section . Bye SaveDump rewrites the file , the operating system does not use the part of the page file that contains the emergency . During this time, the amount of virtual memory available to the system and applications is reduced by (At the same time, messages may appear on the screen indicating a lack of virtual memory). Then SaveDump informs the memory manager that the save is complete , and he releases that part file in which it is stored , for general use.

Saving the file , program SaveDump records the creation of an emergency in the event log , for example: “The computer was rebooted after a critical error: 0x100000d1 (0xc84d90a6, 0x00000010, 0x00000000, 0xc84d90a6). Memory copy saved: C:\WINDOWS\Minidump\Mini060309-01.dmp" .

Full memory dump writes the entire contents of memory when a fatal error occurs. For this option, you must have a paging file on the boot volume, the size of which is equal to the volume of the entire physical random access memory plus 1 MB. Default full memory is written to a file %SystemRoot%\Memory.dmp. If a new error occurs and a new complete file is created memory (or kernel memory) the previous file is replaced (overwritten). Parameter Full memory dump not available on systems running a 32-bit operating system and 2 or more RAM.

If a new error occurs and a new complete file is created memory the previous file is replaced.

Kernel memory dump writes only kernel memory, making the process of writing data to the log when the system suddenly stops proceeds faster. Depending on the amount of physical memoryin this case the page file requires 50 to 800 MB or one third of the physical memory on the boot volume. kernel memory is written to a file %SystemRoot%\Memory.dmp.

This does not include unallocated memory or memory allocated to mode programs. It only includes memory allocated to the kernel and hardware-specific layer ( HAL) V Windows 2000 and later versions of the system, as well as memory allocated for kernel mode and other kernel mode programs. In most cases this is the most preferred option. It takes up much less space compared to a full memory, while excluding only those memory sectors that are most likely not associated with the error.

When a new error occurs and a new file is created kernel memory the previous file is replaced.

Small memory dump writes the smallest volume useful information necessary to determine the cause of the problem. To create a small memory requires that the page file size be at least 2 MB on the boot volume.

Small files memory contains the following information:

– message about a fatal error, its parameters and other data;

– list of downloaded ;

– context ( PRCB) on which the failure occurred;

EPROCESS) for the process that caused the error;

– process information and kernel context ( ETHREAD) for the thread that caused the error;

– Kernel mode call stack for the thread that caused the error.

Small file memory is used when hard disk space is limited. However, due to the limited information it contains, analysis of this file may not always detect errors that were not directly caused by the thread running at the time the error occurred.

If the following error occurs and a second small file is created memory, the previous file is retained. To each additional file a unique name is given. The date is encoded in the file name. For example, Mini051509-01.dmp- this is the first file memory, created on May 15, 2009 List of all small files memory is stored in a folder %SystemRoot%\Minidump.

operating system , undoubtedly, much more reliable than previous versions - thanks to the efforts of both developers Microsoft, both hardware developers and application software developers . However emergency situations- all sorts of failures and collapses of the system are inevitable, and depending on whether theknowledge and skills in eliminating them, it depends whether he will have to spend a few minutes troubleshooting (for example, updating/debugging or reinstalling application program causing a crash) – or several hours to reinstall/configure operating system and application software (which does not guarantee the absence of failures and crashes in the future!).

Many administrators neglect to analyze crash dumps Windows , believing that working with them is too difficult. It’s difficult, but it’s possible: even if, for example, the analysis of one out of ten will be successful - the efforts spent on mastering the simplest techniques for analyzing emergency situations , will not be in vain!..

All Windows systems when detected fatal error make a crash dump (snapshot) of the contents of RAM and save it to the hard drive. There are three types of memory dump:

Full memory dump – saves the entire contents of RAM. The image size is equal to the size of RAM + 1 MB (header). Very rarely used, as on systems with large amounts of memory the dump size will be too large.

Kernel memory dump – saves RAM information related to kernel mode only. User mode information is not saved because it does not contain information about the cause of the system crash. The size of the dump file depends on the size of the RAM and varies from 50 MB (for systems with 128 MB of RAM) to 800 MB (for systems with 8 GB of RAM).

Small memory dump (mini dump) - contains a fairly small amount of information: an error code with parameters, a list of drivers loaded into RAM at the time of the system crash, etc., but this information is enough to identify the faulty driver. Another advantage of this type of dump is the small file size.

System Setup

To identify the driver that caused it, it will be enough for us to use a small memory dump. In order for the system to save a mini dump during a crash, you must perform the following steps:

For Windows Xp For Windows 7
  1. My computer Properties
  2. Go to the tab Additionally;
  3. Options;
  4. In field Writing Debug Information choose Small memory dump (64 KB).
  1. Right-click on the icon Computer from context menu select Properties(or the Win+Pause key combination);
  2. In the left menu, click on the item Advanced System Settings;
  3. Go to the tab Additionally;
  4. In the Download and recovery field, you must click the button Options;
  5. In field Writing Debug Information choose Small memory dump (128 KB).

Having completed all the manipulations, after each BSoD a file with the extension .dmp will be saved in the C:\WINDOWS\Minidump folder. I advise you to read the material "". You can also check the box “ Replace existing dump file" In this case, each new crash dump will be written over the old one. I do not recommend enabling this option.

Analyzing a crash dump using BlueScreenView

So, after the appearance blue screen death, the system saved a new crash dump. To analyze the dump, I recommend using BlueScreenView program. It can be downloaded for free. The program is quite convenient and has an intuitive interface. After installing it, the first thing you need to do is specify the location for storing memory dumps on the system. To do this, go to the menu item “ Options” and select “ AdvancedOptions" Select the radio button “ LoadfromthefollowingMini Dumpfolder” and specify the folder in which the dumps are stored. If the files are stored in the C:\WINDOWS\Minidump folder, you can click the “ Default" Click OK and get to the program interface.

The program consists of three main blocks:

  1. Main menu block and control panel;
  2. Crash dump list block;
  3. Depending on the selected parameters, it may contain:
  • a list of all drivers in RAM before the blue screen appears (by default);
  • a list of drivers located in the RAM stack;
  • BSoD screenshot;
  • and other values ​​that we will not use.

In the memory dump list block (marked with number 2 in the figure), select the dump we are interested in and look at the list of drivers that were loaded into RAM (marked with number 3 in the figure). The drivers that were on the memory stack are colored pink. They are the cause of BSoD. Next, go to the Main Menu of the driver, determine which device or program they belong to. First of all, pay attention to system files, because system files are loaded in RAM in any case. It's easy to see that the faulty driver in the image is myfault.sys. I will say that this program was specifically launched to cause a Stop error. After identifying the faulty driver, you need to either update it or remove it from the system.

In order for the program to show a list of drivers located on the memory stack when a BSoD occurs, you need to go to the menu item “ Options“click on menu” LowerPaneMode” and select “ OnlyDriversFoundInStack” (or press the F7 key), and to show a screenshot of the error, select “ BlueScreeninXPStyle” (F8). To return to the list of all drivers, you must select “ AllDrivers” (F6).

All Windows systems, when a fatal error is detected, make a crash dump (snapshot) of the contents of RAM and save it to the hard drive. There are three types of memory dump:

Full memory dump – saves the entire contents of RAM. The image size is equal to the size of RAM + 1 MB (header). Very rarely used, as on systems with large amounts of memory the dump size will be too large.

Kernel memory dump – saves RAM information related to kernel mode only. User mode information is not saved because it does not contain information about the cause of the system crash. The size of the dump file depends on the size of the RAM and varies from 50 MB (for systems with 128 MB of RAM) to 800 MB (for systems with 8 GB of RAM).

Small memory dump (mini dump) - contains a fairly small amount of information: an error code with parameters, a list of drivers loaded into RAM at the time of the system crash, etc., but this information is enough to identify the faulty driver. Another advantage of this type of dump is the small file size.

SYSTEM SETUP

To identify the driver that caused the blue screen, we will only need to use a small memory dump. In order for the system to save a mini dump during a crash, you must perform the following steps:

For Windows Xp For Windows 7
  1. My computer Properties
  2. Go to the tab Additionally;
  3. Options;
  4. In field Writing Debug Information choose Small memory dump (64 KB).
  1. Right-click on the icon Computer from the context menu select Properties(or the Win+Pause key combination);
  2. In the left menu, click on the item Advanced System Settings;
  3. Go to the tab Additionally;
  4. In the Download and recovery field, you must click the button Options;
  5. In field Writing Debug Information choose Small memory dump (128 KB).

Having completed all the manipulations, after each BSoD a file with the extension .dmp will be saved in the C:\WINDOWS\Minidump folder. I advise you to read the material “How to create a folder.” You can also check the box “ Replace existing dump file" In this case, each new crash dump will be written over the old one. I do not recommend enabling this option.

ANALYZING A CRASH DUMP USING THE BLUESCREENVIEW PROGRAM

So, after the Blue Screen of Death appeared, the system saved a new crash memory dump. To analyze the dump, I recommend using the BlueScreenView program. It can be downloaded for free here. The program is quite convenient and has an intuitive interface. After installing it, the first thing you need to do is specify the location for storing memory dumps on the system. To do this, go to the menu item “ Options” and select “ AdvancedOptions" Select the radio button “ LoadfromthefollowingMini Dumpfolder” and specify the folder in which the dumps are stored. If the files are stored in the C:\WINDOWS\Minidump folder, you can click the “ Default" Click OK and get to the program interface.

The program consists of three main blocks:

  1. Main menu block and control panel;
  2. Crash dump list block;
  3. Depending on the selected parameters, it may contain:
  • a list of all drivers in RAM before the blue screen appears (by default);
  • a list of drivers located in the RAM stack;
  • BSoD screenshot;
  • and other values ​​that we will not use.

In the memory dump list block (marked with number 2 in the figure), select the dump we are interested in and look at the list of drivers that were loaded into RAM (marked with number 3 in the figure). The drivers that were on the memory stack are colored pink. They are the cause of BSoD. Next, go to the Main Menu of the driver, determine which device or program they belong to. First of all, pay attention to non-system files, because system files are loaded in RAM in any case. It's easy to see that the faulty driver in the image is myfault.sys. I will say that this program was specifically launched to cause a Stop error. After identifying the faulty driver, you need to either update it or remove it from the system.

In order for the program to show a list of drivers located on the memory stack when a BSoD occurs, you need to go to the menu item “ Options“click on menu” LowerPaneMode” and select “ OnlyDriversFoundInStack” (or press the F7 key), and to show a screenshot of the error, select “ BlueScreeninXPStyle” (F8). To return to the list of all drivers, you must select “ AllDrivers” (F6).

When a critical failure occurs, the Windows operating system crashes and displays a Blue Screen of Death (BSOD). The contents of RAM and all information about the error that occurs is written to the paging file. Next time booting Windows a crash dump is created with debugging information based on the saved data. A critical error entry is created in the system event log.

Attention! A crash dump is not created if the disk subsystem or a critical error occurred during the initial stage of Windows boot.

Types of Windows Crash Dumps

Using the example of a current operating room Windows systems 10 (Windows Server 2016) consider the main types of memory dumps that the system can create:

  • Mini memory dump(256 KB). This file type contains a minimal amount of information. It only contains the BSOD error message, information about the drivers, the processes that were active at the time of the crash, and which process or kernel thread caused the crash.
  • Kernel memory dump. Typically small in size—one third of the physical memory size. A kernel memory dump is more detailed than a mini dump. It contains information about drivers and kernel-mode programs, includes memory allocated to the Windows kernel and the hardware abstraction layer (HAL), and memory allocated to drivers and other kernel-mode programs.
  • Complete memory dump. Largest in size and requires memory equal to your system's RAM plus 1MB, required Windows to create this file.
  • Automatic memory dump. Corresponds to a kernel memory dump in terms of information. The only difference is how much space it uses to create the dump file. This file type did not exist in Windows 7. It was added in Windows 8.
  • Active memory dump. This type eliminates elements that cannot determine the cause of a system failure. This was added to Windows 10 and is especially useful if you use virtual machine, or if your system is a Hyper-V host.

How to enable memory dumping in Windows?

Using Win+Pause, open the system settings window, select " Advanced System Settings"(Advanced system settings). In the " Additionally" (Advanced), section "" (Startup and Recovery) click the button " Options"(Settings). In the window that opens, configure actions to take when the system fails. Check the " Log events to system log" (Write an event to the system log), select the type of dump that should be created when the system crashes. If in the checkbox " Replace existing dump file"(Overwrite any existing file) check the box, the file will be overwritten every time there is a failure. It’s better to uncheck this box, then you will have more information for analysis. Also disable Automatically restart.

In most cases, a small memory dump will be enough to analyze the cause of the BSOD.

Now, when a BSOD occurs, you can analyze the dump file and find the cause of the failure. The mini dump is saved in the %systemroot%\minidump folder by default. To analyze the dump file, I recommend using the program WinDBG(Microsoft Kernel Debugger).

Installing WinDBG on Windows

Utility WinDBG included in " Windows 10 SDK"(Windows 10 SDK). .

The file is called winsdksetup.exe, size 1.3 MB.

Run the installation and choose what exactly you want to do - install the package on this computer or download it for installation on other computers. Let's install the package on the local computer.

You can install the entire package, but to install only the debugging tool, select Debugging Tools for Windows.

After installation, WinDBG shortcuts can be found in the start menu.

Setting up association of .dmp files with WinDBG

To open dump files with a simple click, map the .dmp extension to the WinDBG utility.

  1. Open command line as administrator and run the commands for a 64-bit system: cd C:\Program Files (x86)\Windows Kits\10\Debuggers\x64
    windbg.exe –IA
    for 32-bit system:
    C:\Program Files (x86)\Windows Kits\10\Debuggers\x86
    windbg.exe –IA
  2. As a result, the file types: .DMP, .HDMP, .MDMP, .KDMP, .WEW will be mapped to WinDBG.

Setting up a debugging symbol server in WinDBG

Debugging symbols (debug symbols or symbol files) are blocks of data generated during the compilation of a program together with the executable file. Such data blocks contain information about variable names, called functions, libraries, etc. This data is not needed when executing the program, but is useful when debugging it. Microsoft components are compiled with symbols distributed through the Microsoft Symbol Server.

Configure WinDBG to Microsoft use Symbol Server:

  • Open WinDBG;
  • Go to menu File –> Symbol File Path;
  • Write a line containing the URL for downloading debugging symbols from the Microsoft website and the folder for saving the cache: SRV*E:\Sym_WinDBG*http://msdl.microsoft.com/download/symbols In the example, the cache is downloaded to the E:\Sym_WinDBG folder, you can indicate any.
  • Don't forget to save changes to the menu File–>Save WorkSpace;

WinDBG will search for symbols in the local folder and, if it does not find the necessary symbols in it, it will automatically download the symbols from the specified site. If you want to add your own symbols folder, you can do it like this:

SRV*E:\Sym_WinDBG*http://msdl.microsoft.com/download/symbols;c:\Symbols

If you do not have an Internet connection, first download the symbol package from the Windows Symbol Packages resource.

Analysis of a crash dump in WinDBG

The WinDBG debugger opens the dump file and downloads the necessary symbols for debugging from a local folder or from the Internet. You cannot use WinDBG during this process. At the bottom of the window (in the debugger command line) the message appears Debugee not connected.

Commands are entered into the command line located at the bottom of the window.

The most important thing you need to pay attention to is the error code, which is always indicated in hexadecimal value and looks like 0xXXXXXXXX(indicated in one of the options - STOP: , 07/02/2019 0008F, 0x8F). In our example, the error code is 0x139.

The debugger offers to run the command!analyze -v, just hover your mouse over the link and click. What is this command for?

  • It performs preliminary memory dump analysis and provides detailed information to start analysis.
  • This command will display the STOP code and symbolic name of the error.
  • It shows the stack of command calls that led to the crash.
  • In addition, IP address, process and register faults are displayed here.
  • The team can provide ready-made recommendations to solve the problem.

The main points that you should pay attention to when analyzing after executing the command!analyze –v (listing incomplete).

1: kd> !analyze -v


* *
* Bugcheck Analysis *
* *
*****************************************************************************
Symbolic name of STOP error (BugCheck)
KERNEL_SECURITY_CHECK_FAILURE (139)
Description of the error (A kernel component has corrupted a critical data structure. This corruption could potentially allow an attacker to gain control of this machine):

A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine.
Error arguments:

Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd0003a20d5d0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd0003a20d528, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------

The counter shows how many times the system crashed with a similar error:

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: FAIL_FAST_CORRUPT_LIST_ENTRY

STOP error code in shortened format:

BUGCHECK_STR: 0x139

The process during which the failure occurred (not necessarily the cause of the error, just at the time of the failure this process was running in memory):

PROCESS_NAME: sqlservr.exe

Error Code Description: The system has detected a stack buffer overflow in this application, which could allow an attacker to gain control of this application.

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

Last call on the stack:

LAST_CONTROL_TRANSFER: from fffff8040117d6a9 to fffff8040116b0a0

Call stack at the time of failure:

STACK_TEXT:
ffffd000`3a20d2a8 fffff804`0117d6a9: 00000000`00000139 00000000`00000003 ffffd000`3a20d5d0 ffffd000`3a20d528: nt!KeBugCheckEx
ffffd000`3a20d2b0 fffff804`0117da50: ffffe000`f3ab9080 ffffe000`fc37e001 ffffd000`3a20d5d0 fffff804`0116e2a2: nt!KiBugCheckDispatch+0x69
ffffd000`3a20d3f0 fffff804`0117c150: 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000: nt!KiFastFailDispatch+0xd0
ffffd000`3a20d5d0 fffff804`01199482: ffffc000`701ba270 ffffc000`00000001 000000ea`73f68040 fffff804`000006f9: nt!KiRaiseSecurityCheckFailure+0x3d0
ffffd000`3a20d760 fffff804`014a455d: 00000000`00000001 ffffd000`3a20d941 ffffe000`fcacb000 ffffd000`3a20d951: nt! ?? ::FNODOBFM::`string"+0x17252
ffffd000`3a20d8c0 fffff804`013a34ac: 00000000`00000004 00000000`00000000 ffffd000`3a20d9d8 ffffe001`0a34c600: nt!IopSynchronousServiceTail+0x379
ffffd000`3a20d990 fffff804`0117d313: ffffffff`fffffffe 00000000`00000000 00000000`00000000 000000eb`a0cf1380: nt!NtWriteFile+0x694
ffffd000`3a20da90 00007ffb`475307da: 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000: nt!KiSystemServiceCopyEnd+0x1 3
000000ee`f25ed2b8 00000000`00000000: 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000: 0x00007ffb`47530 7da

The code section where the error occurred:

FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff804`0117da50 c644242000 mov byte ptr ,0
FAULT_INSTR_CODE: 202444c6
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiFastFailDispatch+d0
FOLLOWUP_NAME: MachineOwner

The name of the module in the kernel object table. If the analyzer was able to detect a problematic driver, the name is displayed in the MODULE_NAME and IMAGE_NAME fields:

MODULE_NAME:nt
IMAGE_NAME: ntkrnlmp.exe

1: kd> lmvm nt
Browse full module list
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: C:\ProgramData\dbg\sym\ntoskrnl.exe\5A9A2147787000\ntoskrnl.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.3.9600.18946
FileVersion: 6.3.9600.18946 (winblue_ltsb_escrow.180302-1800)

In the example given, the analysis pointed to the kernel file ntkrnlmp.exe. When memory dump analysis indicates system driver(for example, win32k.sys) or a kernel file (as in our example ntkrnlmp.exe), most likely this file is not the cause of the problem. Very often it turns out that the problem lies in the device driver, BIOS settings or equipment malfunction.

If you see that the BSOD was caused by a third-party driver, its name will be indicated in the MODULE_NAME and IMAGE_NAME values.

For example:

Image path: \SystemRoot\system32\drivers\cmudaxp.sys
Image name: cmudaxp.sys

Open the properties of the driver file and check its version. In most cases, the problem with drivers is solved by updating them.

Errors very often occur in Windows OS, even in the case of a “clean” system. If ordinary program errors can be solved (a message about a missing component appears), then critical errors will be much more difficult to fix.

What is a memory dump in Windows

To solve problems with the system, a crash memory dump is usually used - this is a photo part or all of the RAM and placing it on a non-volatile medium ( HDD). In other words, the contents of RAM are fully or partially copied to the media, and the user can analyze the memory dump.

There are several types of memory dumps:

Small dump(Small Memory Dump) – saves a minimum amount of RAM, which contains information on critical errors (BSoD) and components that were loaded during system operation, for example, drivers, programs. MiniDump is stored in the path C:\Windows\Minidump.

Full dump(Complete Memory Dump) – the full amount of RAM is saved. This means that the file size will be equal to the amount of RAM. If there is little disk space, it will be problematic to save, for example, 32 GB. There are also problems with creating a memory dump file larger than 4 GB. This type used very rarely. Stored at C:\Windows\MEMORY.DMP.

Dump kernel memory– only information related to the system core is saved.

When the user gets to analyzing the error, he only needs to use minidamp (small dump). But before this, it must be turned on, otherwise the problem will not be recognized. Also, to more effectively identify a crash, using a full memory snapshot is preferable.

Information in the registry

If you look into Windows registry, then you can find some useful image parameters. Click the Win+R key combination and enter the command regedit and open the following branches:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

In this branch the user will find the following parameters:

  • AutoReboot– enable or disable reboot after creating a Blue Screen of Death (BSoD).
  • DumpFile– name of dump types and location.
  • CrashDumpEnabled- number created file, for example, the number 0 – no dump is created; 1 – creating a full dump; 2 – creating a core dump; 3 – creating a small dump.
  • DumpFilters– the option allows you to add new functions before creating a snapshot. For example, file encryption.
  • MinidumpDir– the name of the small dump and its location.
  • LogEvent– activation of recording information in the system log.
  • MinidumpsCount– set the number of small dumps to be created. (Exceeding this number will destroy old files and replace them).
  • Overwrite– function for a full or system dump. When creating a new photo, the previous one will always be replaced with a new one.
  • DedicatedDumpFile- Creation alternative file image and an indication of its path.
  • IgnorePagefileSize– used for temporary snapshot location, without using a swap file.

How it works

If a failure occurs, the system completely stops its operation and, if dumping is active, it will be written to a file placed on disk. information about the problem that has arisen. If something happened to the physical components, then an emergency code will work, and the hardware that failed will make some changes, which will certainly be reflected in the snapshot.

Typically the file is stored in a block allocated for the swap file hard drive, after the BSoD appears, the file is overwritten in the type that the user himself configured (Small, full or core dump). Although, in modern operating systems, the participation of the paging file is not necessary.

How to enable dumps

IN Windows 7:

IN Windows 8 and 10:

Here the process is a little similar, you can get into the system information in the same way as in Windows 7. In “Ten”, be sure to open “ This computer", click on free space right mouse button and select “ Properties" Another way to get there is through the Control Panel.

Second option for Windows 10:


It should be noted that in the new Windows versions 10 new points appeared that were not in the “seven”:

  • Small dump memory 256 KB - minimum failure data.
  • Active dump- appeared in the tenth version of the system and saves only the active memory of the computer, the system kernel and the user. Recommended for use on servers.

How to delete a dump

Just go to the directory where the memory snapshots are stored and simply delete them. But there is another way to remove it - using the Disk Cleanup utility:

If no items were found, the dumps may not have been enabled.

Even if you once enabled them, some system optimization utilities you use can easily disable some functionality. Often a lot of things turn off during use SSD drives, since repeated reading and writing procedures greatly harm the health of this disk.

Memory dump analysis using WinDbg

Download from the official Microsoft website this program in step 2, where it is described “ InstallationWDK" - https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk.

To work with the program you will also need a special package of debugging symbols. It is called Debugging Symbols, previously it could be downloaded from the Microsoft website, but now they have abandoned this idea and will have to use the function File programs — « Symbol File Path", where you should enter the following line and click OK:

set _NT_SYMBOL_PATH=srv*DownstreamStore*https://msdl.microsoft.com/download/symbols

If it doesn't work, try this command:

SRV*%systemroot%\symbols*http://msdl.microsoft.com/download/symbols

Click “File” again and select the “Save Workspace” option.

The utility is configured. All that remains is to specify the path to the memory dump files. To do this, click File and click the option “ OpenCrashDump" The location of all dumps is indicated at the beginning of the article.

After selection, the analysis will end and the problematic component will be automatically highlighted. To obtain more information in the same window, you can enter the following command: !analyze –v

Analysis with BlueScreenView

You can download the tool for free from this site - http://www.nirsoft.net/utils/blue_screen_view.html. Installation does not require any skills. Only used on Windows 7 and higher.

We launch and configure. Click “Options” – “ Extra options"(Advanced Options). Select the first item " Load MiniDumps from this folder"and indicate the directory - C:\WINDOWS\Minidump. Although you can simply click the “Default” button. Click OK.

The dump files should appear in the main window. It can be either one or several. To open it, just click on it with the mouse.

The bottom of the window will display the components that were running at the time of the failure. The person responsible for the accident will be highlighted in red.

Now click “File” and select, for example, the item “ Find in Google error code + driver" If found required driver, install and restart your computer. Perhaps the error will disappear.