Coming soon: How to generate a kernel or a complete memory dump file in Windows Server 2012 and Windows Server 2012 R2
Applies to:
Windows Server 2012 R2 Update 1
Windows 8.1 Update 1
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8.0
Originally published Apr. 2015, updated Jun. 2015, and Jan 2016.
It's been years since I wrote the following two articles to force a blue screen (for you *nix admin’s, a “Kernel Panic”):
972110 How to generate a kernel dump file or a complete memory dump file in Windows Server 2003
Since then KB 969028 should have been updated with the hotfixes here:
List of kernel memory dump hotfixes for Windows Vista/Server2008 and Windows 7/Server2008R2
And Clint Huffman and I wrote the following article:
2860880 How to determine the appropriate page file size for 64-bit versions of Windows
https://support.microsoft.com/kb/2860880
Once I have some bandwidth, I'll be working on a new
”How to generate a kernel or a complete memory dump file in Windows Server 2012 and Windows Server 2012 R2”.
I’m planning to have two sections:
- Short (to the point or concise) version
- Long (detailed) version
Concise version:
They will be including Steve Parr's Dump Configurator as the concise version:
Debug Nugget: DumpConfigurator Utility
Detailed version:
They will be including Steve Parr's Dump Configurator as the concise version:
Debug Nugget: DumpConfigurator Utility
And all the caveats…
It does set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
AutoReboot (DWORD) 1 (Hex)
DedicatedDumpFile (REG_SZ) E:\dedicateddumpfile.sys
Note: Where E: is the drive with enough disk space.
NMICrashDump (DWORD) 1 (Hex)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
CrashOnCtrlScroll (DWORD) 1 (Hex)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
CrashOnCtrlScroll (DWORD) 1 (Hex)
B. It does not set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
IgnorePagefileSize (DWORD) 1 (Hex)
DumpFile (REG_EXPAND_SZ) E:\memory.dmp
DumpFileSize (DWORD) 131328 (Dec)
// So you will need to set these yourself.
Note: For the DumpFile, where E:\memory.dmp
Change the E: drive location to where there is enough free disk space (at least 128 GB +256 MB for your example).
Note: For the DumpFileSize where 131328 MB = 128GB + 256 MB.
Where 128GB is the amount of RAM.
Reference:
C. If your Windows machine is a client machine:
AlwaysKeepMemoryDump (dword) 1 (hex)
// If you are getting an “Event ID 1018” Source: bugcheck
Description:
"The dump file at location c:\windows\memory.dmp was deleted because the disk volume had less than 25 GB free space"
Reference:
Kernel dump storage and clean up behavior in Windows 7
D. If you have bitlocker enabled, then you will need to set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
PagefileOnOSVolume (dword) 0 (hex)
Note: When bitlocker is enabled, it's set to 1 (hex), which doesn’t let you move the Pagefile out of C: (system drive).
Reference:
929820 BitLocker Drive Encryption (BDE) enables the PagefileOnOSVolume registry setting on Windows
E. If you have Win8/2012/Win8.1/2012R2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl
DisplayParameters ( DWORD ) 1 (hex)
2929742 Stop error information isn't displayed on the blue screen in Windows
https://support.microsoft.com/kb/2929742
You will need these hotfix(es) for Windows 8.1 and Windows Server 2012 R2:
2929742 Stop error information isn't displayed on the blue screen in Windows
You will need these hotfix(es) for Windows 8 and Windows Server 2012:
2929742 Stop error information isn't displayed on the blue screen in Windows
In Windows 8 and Windows Server 2012 and newer OS’es, you don’t have to set the NMI registry per 927069 How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system since it’s on by default per 2750146 NMI_HARDWARE_FAILURE error when an NMI is triggered on Windows 8 and Windows Server 2012.
And there are tons of virtualization items:
In baremetal systems, we have:
Forcing a System Crash from the Keyboard
https://msdn.microsoft.com/en-us/library/ff545499.aspx
In Generation 1 Hyper-V based VM's, we have:
Some exceptional work by Andrew Richards and Mark Russinovich:
LiveKd v5.4
which lead to "Taking a dump of a VM running on Hyper-V"
In Generation 2 Hyper-V based VM's, we have:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hyperkbd\Parameters
CrashOnCtrlScroll (dword)
Reference: Get a kernel dump of a 2012 R2 Hyper-V server with Powershell
In the Hyper-V VM’s, if you experience problems with generating a memory dump, you might want to uncheck the “Heartbeat” feature from the guest services of the VM:
And in VMWare based Windows Server VM's:
Converting a snapshot file to memory dump using the vmss2core tool (2003941)
What’s better to get a good data set? Is it NotMyfault, or the right CRTL-Scroll-Lock-Scroll-Lock, or Crash.exe or a NMI? We will discuss about that.
How about if the Scroll-Lock key is missing in my system?
SCROLL-LOCK key = Fn+K
Hold down the “right CTRL key” and press “Fn+K” twice.
And when you are debugging a “Complete (kernel+memory) dump, how you could grab the memory that was paged out to the Pagefile, to see ‘everything’.
CAB Files that Contain Paging Files Along with a Memory Dump
Stay tuned, about 1 month of work to get a comprehensive list of items to check and watch out for is coming soon…
Yong (룡)
P.S. Meanwhile, here are some great books for you to ramp-up:
Mark Russinovich’s
If you are a Microsoft Premier customer and want to learn more about “Windows Internals”, we have a workshop for you:
Windows Server: Performance Monitoring and Troubleshooting
Note: The link is in Dutch (Netherlands) but it’s taught across the globe.
Note 2: In the Windows Server 2003 days, it used to be known as Windows Critical Problem Management workshop.
Daniel Pravat and Mario Hewardt’s:
Mario Hewardt’s:
If you are a Microsoft customer and want to learn more about “Advanced .Net Debugging”, we have a workshop too: