How to analyze a memory dump. Crash dump. Types of Windows Crash Dumps

In Windows 8, Microsoft introduced a new memory dump, the automatic memory dump option. This option is set by default in the operating system. Windows 10 introduced a new type of dump file called active memory dump. For those who don't know, in Windows 7 we have a small dump, a core dump, and a full memory dump. You may be wondering why Microsoft decided to create this new memory dump option? According to Robert Simpkins, Senior Support Engineer, an automatic memory dump can create support for a "system" page in a configuration file.
The page file configuration management system is responsible for managing the size of the page file - this avoids excessive headroom or page file size. This option is introduced mainly for PCs that run on SSD drives, which tend to be smaller but have a huge amount of RAM.

Memory dump options

The main advantage of "Automatic Memory Dump" is that it will allow the subsystem session in the Process Manager to automatically reduce the swap file to a size smaller than the size of RAM. For those who don't know, the subsystem manager session is responsible for system initialization, the startup environment for the services and processes that are required for a user to log into the system. It basically sets up a page of files in virtual memory and starts the winlogon.exe process.

If you want to change your automatic memory dump settings, here's how to do it. Press the Windows + X keys and select - System. Then click on the "Advanced system settings" button. Advance System Settings”.

Click the Advanced system settings button.

Here you can see a drop down menu where it says “Advanced”.

Here you can select the desired option. Suggested options:

No memory dumps.
Small memory dump.
Kernel memory dump.
Complete memory dump.
Automatic memory dump. Added in Windows 8.
Active memory dump. Added to Windows 10.
The location of the memory dump file in the %SystemRoot%\MEMORY.DMP file.

If you're using an SSD drive, it's best to leave it on "Automatic Memory Dump"; but if you need a crash dump file, it's better to set it to "small memory dump", with that you can, if you want, send it to someone so they can take a look at it.

In some cases, you may need to increase the size of the swap file more than the RAM to fit the full memory dump. In such cases, you need to create a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

it's called "LastCrashTime".

This will automatically increase the page file size. To reduce it later, you can simply delete this key.

Windows 10 introduced a new dump file called Active Memory Dump. It contains only the essentials and is therefore smaller.

I don't have a chance to test it, but I created this key and monitored the size of the swap file. I know that sooner or later I will get a critical error. Then I'll check it out.

You can analyze the memory dump of Windows.dmp files using WhoCrashed. The WhoCrashed Home utility is free and presents drivers that have been crammed into your computer with a single click. In most cases, it can identify a faulty driver that is causing suffering to your computer. This is a crash dump of the system analysis, memory dumps, and all the information collected is presented here in an accessible form.

Typically, the debug toolkit opens an analysis crash dump. With this utility, you don't need any debugging knowledge or skills to find out which drivers are causing problems on your computer.

WhoCrashed relies on the debug package (windbg program) from Microsoft. If this package is not installed, WhoCrashed will download and automatically extract this package for you. Just run the program and click on the Analyze button. When you have WhoCrashed installed on your system and if it crashes or closes unexpectedly, the program will let you know if crash dumping is enabled on your computer and it will offer you suggestions on how to enable them.

Windows is a very fragile creation and just about anything, any wrong action on the part of the user entails the occurrence of critical errors, and not so much. To find out information on the blue screens of death, which are the very critical problems, the information written on the screen itself helps, as well as special memory dump files that store data about the causes of BsoD. I strongly recommend enabling this feature, as no one is immune from the appearance of a blue screen, even an experienced user.

The memory dumps themselves are usually stored along the path C:\Windows\MEMORY.DMP, or C:\Windows\Minidump - where the so-called small memory dumps are stored. By the way, a small memory dump will be the file that will help you find out the cause of the BsoD.

Usually, the creation of memory dumps in Windows 10 is disabled by default, which means that using special utilities to check dump files will not give a positive result. Let's get straight to the action.

How to enable the memory dump feature on Windows 10 and configure it

Usually, utilities like BlueScreenView are used to view dumps, but you need to set up automatic memory dumping right now, otherwise this program and similar ones will be useless.

A window will open, where on the left side click on the option " Additional system settings».

In the tab " Additionally"Click the fad" "".

Finally, a window opens where the main parameters for setting up dumps are located. Here you can see that automatic memory dump is activated in Windows, which is stored in the path indicated just below. Also checkboxes for creating logs are enabled. In addition, small memory dump files are also created, which will be very useful to us when working with blue screens of death. Information about the system core and memory is also saved. If there is an automatic mode, then this will be enough.

About other memory dumps

If you open the drop-down menu for writing debug information, you will see several options, which I will describe below.

• Small memory dump- a mini dump, which is saved in a special path and weighs 256 kilobytes. This file stores basic information about blue screens of death and system processes. If you need to find out the cause of the BSOD, then a small memory dump is enough. BlueScreenView or similar software is used to extract information. Any beginner can use this method.
• Kernel memory dump– the file will contain the same information as the automatic type. The only difference is that the system changes the paging file. Which option to choose? I think that immediately automatic type.
• Full memory dump- the file contains complete data about the RAM, which means the file size will be equal to the size of the RAM. It costs you 8 GB on your PC, this is how much the full memory dump file will occupy on the disk. For beginners, this option is not particularly suitable.
• Active memory dump- first appeared in Windows 10. More suitable for servers and stores data about active memory and kernel modes, as well as the current user.

How to delete a memory dump file

It's very simple, you go to the path where these files are located and manually delete them. For example, the full memory dump file is called MEMORY.DMP, just delete it and that's it. When using the Disk Cleanup tool, it is also possible to delete dump files.

The memory dump may be disabled due to the actions of the system cleaning utilities. When using SSDs and special utilities to work with these drives, they can also disable some system functions so that the SSD is less subject to read / write procedures.

Any modern operating system is a very complex set of different software modules that work together in different combinations. They may contain errors or may conflict with each other or with the running program. As a result, a failure occurs, and Windows stops working, showing the well-known " blue screen of death". Why this happened will help to understand the Windows 10 memory dump, and in other versions it also works. By default, they are usually not created, so they must be enabled, and for studying, use special programs that will extract useful information in an understandable way.

Setting up a memory dump.

In fact, this is a "snapshot" of RAM, its contents at the moment when the failure occurred. This content is written to a separate file, which is called a dump. By analyzing it, you can understand what went wrong and in which part of the program the problem occurred. When everything is normal and no crashes occur, the system does not create any files with the contents of the memory. Therefore, this function does not affect performance in any way. But once a fatal error occurs that causes a blue screen to appear, such a file is created. This is a special tool that helps developers troubleshoot such problems. Ordinary users can also take advantage of this to find out which programs are causing the system to crash. But keep in mind that for this you need to have some knowledge of how computers and software work, otherwise all this information will be completely useless. An ordinary user of the “I know how to turn it on-print-off” level will simply not understand anything in it.

Configuring Memory Dumps for Windows Errors

To view and configure, for example, increase the Windows memory dump, consider the 7th version - it continues to be popular. Yes, and in other versions it is done in a similar way. To do this, you can right-click on the "My Computer" icon and select "Properties". You can go the other way - go to the "Control Panel" and select "System". Either way, the same window will open. Next, select the "Advanced system settings" item on the left, and in the small window that appears, go to the "Advanced" tab. Here, in the "Download and Recovery" section, click on the "Options" button.

1. Small dump - its volume is only 256 kb, only the most general information is recorded there.
2. Core memory dump - This records the state of various programs at the time of a crash for a single processor core. The file size is about 33% of the total available RAM. There is useful information here to identify the cause of the failure, but there is not much of it.
3. A full dump is a copy of all RAM, and the file size will be equal to its volume. Here you can find whatever you want. Such a dump is also created when switching to hibernation mode - all the contents of the RAM are simply saved to the hard drive, and when you turn on the computer, it continues to work from the same place.

In newer versions of Windows, there is an "Automatic memory dump" mode - you can select it, and this will be quite enough. As you can see, setting up a memory dump in Windows 7 is easy. It will be written only on failures, and does not affect the operation of the system in any way.

How and with what to open a memory dump file

When a failure occurs and a new file with a problem report is created, you still need to open it somehow and find out what is written in it. The file has a dmp extension, but the built-in tools for opening it are inconvenient and can be accessed from the command line. By the way, the system saves this file in its folder. How to open memory dump file with dmp extension? To do this, there are various utilities, including those from Microsoft, for example, Microsoft Kernel Debuggers. It can be downloaded completely free of charge from the official site, but you need to consider whether you need a 32-bit or 64-bit version. In this program, you can open memory dump files that are located in the system folder and view their contents in the form of decryption. Of course, the information is purely specific and is intended for specialists.

There is another popular utility - BlueScreenView. It is very simple and easy to use. But the displayed information is not so easy to understand, but with some technical knowledge it is quite possible. In red, the program highlights in the list the problematic parts of the code that caused the blue screen, for example, certain drivers. This greatly simplifies the analysis.

How to delete a memory dump file

Can they be removed at all? Yes, they are just service information for further analysis. If they have already been viewed or they are not needed, then they can be deleted in the simplest way - in the trash. Otherwise, they gradually accumulate and begin to take up a lot of space on the hard drive, especially if a full copy of the RAM is removed. Of course, manually searching and deleting all these files is not a very pleasant task. Therefore, you can use any disk cleanup utility, even the one built into Windows, by checking “Delete system files” there. When it completes, all dumps will also be deleted. The system itself does not use these files and their removal is completely safe.

One of the most common Windows failures is system exceptions, which the user sees as a "blue screen of death" (BSOD). As a rule, this fatal error occurs either due to a malfunction of drivers, hardware (more often when loading the OS) or due to the action of viruses and antiviruses.

The blue screen of death contains information about the causes that caused the exception (in the form of a STOP error code of the form 0x0000007b), memory addresses that caused the exception to be accessed, and other useful information. Such information is called a STOP error, the variable parameters of which are just memory addresses. Sometimes it also contains the name of the file that caused the exception.

All this information is contained on the screen for a short time (up to 100 seconds), after which the computer restarts. During this short time, as a rule, a memory dump is formed, which is written to a file. One of the important professional ways to diagnose failures is to analyze a memory dump, which will be discussed in detail in this article.

What is a dump

• dump (English) - garbage heap; dump; hole; slum.
• dump (memory dump) - 1) dump, outputting the contents of RAM to print or screen; 2) "snapshot" of RAM; data obtained as a result of dumping; 3) emergency removal, shutdown, reset.
• dumping - dumping, dumping.

The settings for saving a memory dump are stored in the Windows system registry.

Memory dump information in the system Registry:

Under the Windows Registry key, the crash dump is defined by the following settings:

– REG_DWORD parameter AutoReboot with a value of 0×1 (option Perform automatic reboot of the Boot and Restore auxiliary window of the System Properties dialog box);

– REG_DWORD parameter CrashDumpEnabled with a value of 0x0 if no memory dump is created; 0x1 - Full memory dump; 0x2 - Kernel memory dump; 0×3 - Small memory dump (64KB);

– REG_EXPAND_SZ DumpFile parameter with default value %SystemRoot%\MEMORY.DMP (dump file storage location);

– REG_DWORD parameter LogEvent with a default value of 0×1 (option Write event to system log in the Boot and Restore window);

– REG_EXPAND_SZ-parameter MinidumpDir with default value %SystemRoot%\Minidump (option Small dump folder of the Boot and Restore window);

– REG_DWORD parameter Overwrite with a default value of 0×1 (option Overwrite an existing dump file of the Load and Restore window);

– REG_DWORD parameter SendAlert with a default value of 0x1 (option Send administrative notification in the Boot and Restore window).

How the system creates a crash dump file

During boot, the operating system checks the crash dump settings in the registry key. If at least one parameter is specified, the system generates a map of the disk blocks occupied by the paging file on the boot volume and stores it in memory. The system also determines which disk device driver controls the boot volume, calculates checksums for the driver's in-memory image, and for data structures that must be integers for the driver to perform I/O operations.

After a crash, the system kernel verifies the integrity of the page file map, disk driver, and disk driver control structures. If the integrity of these structures is not violated, then the kernel of the system calls special I / O functions of the disk driver, designed to save the memory image after a system failure. These I/O functions are self-sufficient and do not rely on system kernel services, because the programs responsible for writing the crash dump cannot make any assumptions about which parts of the system kernel or device drivers were damaged during a crash. The system kernel writes data from memory to the paging file sector map (it does not have to use file system drivers).

First, the system kernel checks the status of each component involved in the process of saving the dump. This is done so that direct writing to disk sectors does not damage data that lies outside the page file. The size of the page file must be 1 MB larger than the physical memory size, because when information is written to the dump, a header is created that contains the signature of the crash dump and the values ​​of several important system kernel variables. The header is less than 1MB, but the operating system can increase (or decrease) the size of the paging file by at least 1MB.

After the system boots, the Session Manager (Windows NT Session Manager; disk address \WINDOWS\system32\smss.exe) initializes the system's page files, using its own NtCreatePagingFile function to create each file. NtCreatePagingFile determines whether the page file being initialized exists and, if so, whether it contains a dump header. If the header is present, then NtCreatePagingFile sends a special code to the Session Manager. The Session Manager then starts the Winlogon process (Windows NT Logon Program; disk address is \WINDOWS\system32\winlogon.exe), which is notified of the existence of the crash dump. Winlogon runs the SaveDump program (Windows NT Memory Backup Program; disk address is \WINDOWS\system32\savedump.exe), which parses the dump header and determines what to do in an emergency.

If the header indicates the existence of a dump, then SaveDump copies the data from the page file to the crash dump file whose name is specified by the REG_EXPAND_SZ parameter DumpFile of the Registry key. While SaveDump is rewriting the dump file, the operating system does not use the part of the page file that contains the crash dump. At this time, the amount of virtual memory available to the system and applications is reduced by the size of the dump (and messages may appear on the screen indicating low virtual memory). SaveDump then informs the memory manager that the dump is complete, and the manager releases the part of the page file that holds the dump for public use.

After saving the dump file, the SaveDump program records the creation of the crash dump in the System event log, for example: "The computer was restarted after a critical error: 0x100000d1 (0xc84d90a6, 0x00000010, 0x00000000, 0xc84d90a6). Memory copy saved: C:\WINDOWS\Minidump\Mini060309-01.dmp".

If the Send administrative notification option is enabled, then SaveDump sends a notification to the administrator.

Types of dumps

• Full memory dump writes the entire contents of system memory when a fatal error occurs. This option requires a swap file on the boot volume that is equal to the amount of physical RAM plus 1MB. By default, a full memory dump is written to the %SystemRoot%\Memory.dmp file. When a new error occurs and a new full core dump (or kernel dump) file is created, the previous file is replaced (overwritten). The Full Memory Dump option is not available on PCs with a 32-bit operating system and 2GB or more of RAM.

When a new error occurs and a new full memory dump file is created, the previous file is replaced.

• Kernel memory dump writes only kernel memory, making the process of writing data to the log during a sudden system shutdown faster. Depending on the amount of physical memory on the PC in this case, the paging file requires between 50 and 800MB, or one third of the physical memory on the computer on the boot volume. By default, the kernel memory dump is written to the %SystemRoot%\Memory.dmp file.

This dump does not include unallocated memory or memory allocated for user-mode programs. It only includes memory allocated for the kernel and hardware dependent layer (HAL) in Windows 2000 and later, and memory allocated for kernel-mode drivers and other kernel-mode programs. In most cases, such a dump is the preferred option. It takes up much less space than a full memory dump, while excluding only those sectors of memory that are most likely not related to the error.
When a new error occurs and a new kernel dump file is created, the previous file is overwritten.

• Small memory dump records the smallest amount of useful information needed to determine the cause of a problem. To generate a small memory dump, the swap file size must be at least 2MB on the boot volume.

Small memory dump files contain the following information:

• fatal error message, its parameters and other data;
• list of loaded drivers;
• the processor context (PRCB) that failed;
• process information and kernel context (EPROCESS) for the process that caused the error;
• process information and kernel context (ETHREAD) for the thread that caused the error;
• the kernel-mode call stack for the thread that caused the error.

The small memory dump file is used when hard disk space is limited. However, due to the limited information it contains, parsing this file may not always detect errors that were not directly caused by the thread that was running at the time the error occurred.

If the following error occurs and a second small memory dump file is generated, the previous file is retained. Each additional file is given a unique name. The date is encoded in the filename. For example, Mini051509-01.dmp is the first memory dump file created on May 15, 2009. A list of all small memory dump files is stored in the folder %SystemRoot%\Minidump.

The Windows XP operating system is undoubtedly much more reliable than previous versions, thanks to the efforts of both Microsoft developers, hardware driver developers, and application software developers. However, emergencies - all kinds of system failures and crashes - are inevitable, and it depends on whether the PC user has the knowledge and skills to eliminate them, he will have to spend several minutes troubleshooting (for example, updating / debugging a driver or reinstalling an application program that causes a system crash), or several hours to reinstall / configure the operating system and application software (which does not guarantee the absence of failures and crashes in the future!).

Many system administrators still neglect the analysis of Windows crash dumps, believing that working with them is too difficult. Difficult, but possible: even if, for example, the analysis of one dump out of ten turns out to be successful, the efforts spent on mastering the simplest techniques for analyzing crash dumps will not be in vain!..

I will give examples from my “sysadmin” practice.

In the local network for no apparent reason ("hardware" is in order, the absence of viruses is guaranteed, users - with "normal hands"), several workstations with Windows XP SP1/SP2 "on board" died. Computers could not be loaded in normal mode - it came to "Greetings" - and to reboot indefinitely. At the same time, in Safe Mode, the PC was loaded.

The study of memory dumps made it possible to identify the cause of the malfunction: the culprit turned out to be Kaspersky antivirus, more precisely, fresh anti-virus databases (more precisely, two database modules - base372c.avc, base032c.avc).

…There was another such case. On a local PC running Windows XP SP3, when trying to open .avi and .mpeg video files, a reboot occurred. The study of the memory dump revealed the cause of the malfunction - the nv4_disp.dll file of the NVIDIA GeForce 6600 video card driver. After updating the driver, the malfunction was fixed. In general, the nv4_disp.dll driver is one of the most unstable drivers, which often led to BSOD.

In both of these cases, the study of the crash dump allowed to minimize (several minutes!) The time for diagnosing and troubleshooting.

Memory dump analysis

There are many programs for analyzing crash dumps, for example, DumpChk, Kanalyze, WinDbg.

Let's consider the analysis of memory crash dumps using the WinDbg program (included in the Debugging Tools for Windows).

Installing Debugging Tools

• visit the Microsoft Web site http://www.microsoft.com/whdc/devtools/debugging/default.mspx;
• download Debugging Tools for Windows, for example, for 32-bit version of Windows, this can be done on the Download the Debugging Tools for Windows page;
• after downloading, run the installation file;
• in the Debugging Tools for Windows Setup Wizard window, click Next;
• in the window with the license agreement, set the switch I agree –> Next;
• in the next window, select the installation type (by default, debugging tools are installed in the \Program Files\Debugging Tools for Windows folder) –> Next –> Install –> Finish;
• to interpret memory dump files, you must also download the symbol package (Symbol Packages, so-called symbol files, or debug symbol files) for your version of Windows - go to the Download Windows Symbol Packages page;
• select your version of Windows, download and run the Symbol Packages installation file;
• in the window with the license agreement, click Yes;
• in the next window, select the installation folder (the default is \WINDOWS\Symbols) –> OK –> Yes;
• in the Microsoft Windows Symbols window with the message "Installation is complete", click OK.

Using WinDbg to Analyze Crash Dumps

• run WinDbg (by default it is installed in the \Program Files\Debugging Tools for Windows folder);
• select menu File –> Symbol File Path…;
• in the Symbol Search Path window, click the Browse… button;
• in the Browse folders window, specify the location of the Symbols folder (by default - \WINDOWS\Symbols) –> OK –> OK;
• select menu File –> Open Crash Dump… (or press Ctrl + D);
• in the Open Crash Dump window, specify the location of the Crash Dump File (*.dmp) –> Open;
• in the Workspace window with the question “Save information for workspace?”, Check the box Don "t ask again -> No;
• a Command Dump window will open in the WinDbg window<путь_и_имя_файла_дампа>with dump analysis;
• review the memory dump analysis;
• in the "Bugcheck Analysis" section, a possible cause of the crash will be indicated, for example, "Probably caused by: smwdm.sys (smwdm + 454d5)";
• to view detailed information, click the link "!analyze -v" in the line "Use !analyze -v to get detailed debugging information";
• close WinDbg;
• use the information received to eliminate the cause of the malfunction.

For example, in the following screenshot, the cause of the malfunction is the nv4_disp.dll file of the video card driver.

When a critical error occurs while working with Windows, the user may wonder: how can I access the Windows crash dump? Such a dump, if the system configuration is correctly configured, will help to start the system in the event of a crash or the so-called blue screen of death (BSOD).

If you encounter problems during the process of setting up a memory dump or the operating system will not work correctly after that, then you can.

Windows 10 memory dump

A memory dump is what is in the working memory of the entire operating system, the processor and its cores. Including all information about the state of processor registers and other service structures.

What is a Windows 10 memory dump for?

The windows 10 memory dump is a kind of black box. In the event of an accident in the system, the information stored in it will help to study in detail the causes of a system failure. This failure, as a rule, completely stops the operation of the operating system. Therefore, a memory dump is the only and most reliable way to obtain information about any failure in the system. And receiving it is an actual replica of the information that is in the system.

The more accurately the contents of the memory dump will reflect what was happening in the system at the time of the failure, the easier it will be in analyzing the emergency and further actions to correct it.

It is extremely important to get an up-to-date copy exactly at the moment that was immediately before the failure. And the only way to do this is to create a Windows 10 crash dump.

The causes of errors in Windows 10 are very diverse:

– incompatibility of connected devices;

– new Windows 10 updates;

– incompatibility of installed drivers;

– incompatibility of installed applications;

- and other reasons.

How to set up a memory dump in Windows 10?

In order to set up a Windows 10 crash dump, follow these steps:

1. Right-click on the start of Windows 10. In the context menu that appears, select the “System” item.

2. In the "System" window in the upper left corner, select "Advanced system settings".

3. In the “System Properties” window, in the “Startup and Recovery” item, click “Settings”.

This is where the Windows 10 crash dump is configured.

When setting up a memory dump, you can not neglect the following recommendations:

- Check the box "replace the existing dump file". Given the fact that data can weigh tens or even hundreds of gigabytes, this is very useful for small hard drives;

– Writing debug information. This function will allow you to select the type of dump file;

– Perform an automatic reboot. Continuation of work after an error has occurred;

– Write an event to the system log. Information about the system failure will be added to the operating system logs.

Windows 10 memory dump is a convenient and really working method of insuring system data.

Knowing the “enemy in person” it will be much easier to find and eliminate it. A Windows 10 memory dump will allow you to identify the cause of a system failure and correct actions to eliminate the error, significantly reducing the radius of effort and work.