Monday, December 24, 2012

Capture a complete Windows Memory Dump


Mentioned steps are to configure the machine for a complete memory dump using a keyboard.

1)    Right click Computers and Select Properties.
2)    Select the Advanced system settings.
3)    Click the "Startup and Recovery" – settings button.
4)    Under the "Write Debugging Information" section select: "Complete

        Memory Dump" from the pull-down menu.

5)    If the Complete memory dump option is not available , then we need to
       change a registry setting.
6)    Open the regedit and navigate to :

        HKLM\CurrentControlSet\Control\CrashControl

        Change the value CrashDumpEnabled to 1

7)   Again open Startup and Recovery tab and you will get the option of

       Complete memory Dump.

8)   Uncheck the option of Automatically Restart.
9)  Make sure a check mark is placed on: "Overwrite any existing file"
10)  Make sure that there is a paging file (pagefile.sys) on the System Drive and it should be atleast 1 GB more than the RAM.
         Right click Computer->Properties. Then select Advanced System Settings.

         In the Advanced tab, select Performance and then settings.

         Select Advanced, click Change under Virtual memory.

         Then select Custom size and then set both the initial and final size to the same value.

11)  Also make sure there is more space on the hard drive than the physical RAM to collect the memory dump.
12)  By default the memory dump is saved on the System Root. If we do not have space on the System root , we can change the location to another drives.

After these settings are checked we need to configure the machine for a keyboard initiated memory dump. Depending on the keyboard used the registry changes are different.

For USB keyboard the settings are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
Quit Registry Editor.

For PS2 keyboard:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
Quit Registry Editor.


After these settings you can reboot the server and then it is configured for a complete memory dump. The keyboard should be directly attached to the server. When the server is in the hung state, we need to hold the right Ctrl key and press Scroll lock key twice. This will bugcheck the machine with the error code Stop E2 and the dump file would be generated.

Refer to the following article:
http://support.microsoft.com/kb/969028


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)