Online Kernel Memory Dump using LiveKd.exe

  • Article

How many times have you had to acquire a kernel memory dump, but you or your customer (quite rightly) refuses to have the target system attached to the internet (which usually needed to download the symbol files). Well, I have had the dubious pleasure 3 times in the past 3 months. So, to remind me of the process I decided to write it down for future reference. If you know this already, sorry to waste your time, but for everyone else it’s one for your cerebral index.

Firstly you need to get the correct symbols files for the kernel memory dump, and just downloading the ones from WHDC or MSDN for the OS version and Service Pack version is not quite good enough, because the symbols change for each version of the kernel files that are released. There may be kernel files that have changed with Updates since the Service Pack was released.

1. Install the Windows Debugging Tools https://www.microsoft.com/whdc/DevTools/Debugging/default.mspx on the computer from which you require a kernel memory dump.

2. Download LiveKd from https://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx and on the computer that you require a Kernel Memory Dump from, uncompress it to the location that the Windows Debug Tools have been installed to (the default is "C:\Program Files\Debugging Tools for Windows (X86)\").

3. Copy ntoskrnl.exe, ntkrnlpa.exe, kernel32.dll and ntdll.dll files (not sure if all of these are required every time, but I do it just in case) from the System32 folder of the computer to be debugged (without internet access) and copy them to a folder (e.g. c:\debugsymbols\system32) on a computer with internet access. (If the internet facing computer has the same versions of these files to the non internet facing then there is no need for this part, but the Symbol cache will be enormous and all we want is the symbol files for the kernel).

4. Install the Debugging tools on the internet facing system (or copy the installed folder from the server you installed them on previously; the default is “C:\Program Files\Debugging Tools for Windows”).

5. From a command prompt on the Internet facing server, run this command:

C:\<path to debugging tools>\Symchk.exe /if <path to copied file>\*.* /s srv*<path to folder to store symbols locally>*https://msdl.microsoft.com/download/symbols

e.g. C:\Program Files\Debugging Tools for Windows (x86)>Symchk.exe /if c:\debugsymbols\system32\*.* /s srv*c:\debugsymbols*https://msdl.microsoft.com/download/symbols

 

6. Copy the cached symbols (i.e. the c:\debugsymbols folder and its new contents, minus the \system32 folder with the 4 exe\dll’s in it) from the internet facing server to the original server.

7. On the computer that you require a Kernel Memory Dump from, Open WinDbg, click on the "File" menu, and choose "Symbol Search Path" . Enter the following path SRV*c:\debugsymbols* and click Ok. Close Windbg.exe.

8. With Administrator privileges, open a Command prompt and navigate to the WinDbg installation folder (e.g . C:\Program Files\Debugging Tools for Windows (X86)\ ) if this is where you expanded LiveKd to and run livekd.exe.

9. Type “ .dump -f c:\memory.dmp” (without the quotes) to generate the Complete Memory Dump on the C: drive (you will need to make sure there is enough space on this drive).

10. Type q to quit LiveKD.

11. You should find memory.dmp in the root of c:\

 

Your work is now complete and you can compress and deliver the kernel dump for analysis.