[SDP 3][06bb55c8-3207-406e-a3fc-f538867a399b] Machine Memory Dump Collector - Windows

Article translations Article translations
Article ID: 2027760 - View products that this article applies to.
Expand all | Collapse all

Summary

The Machine Memory Dump Collector - Windows diagnostic package was designed to collect machine memory dump files from a computer and check for known solutions. This diagnostic tool collects the last five machine mini-dump files from the past 30 days. The tool also collects related system configuration information. This package will also remedy common memory dump configuration issues.

More information

The following tables describe the information that may be collected from a computer when you run the Machine Memory Dump Collector - Windows diagnostic package. 

Information collected

Event logs
Collapse this tableExpand this table
DescriptionFile Name
Event log – Application – .txt, .csv, and .evtx formats{Computername}_evt_Application.*
Event log – System – .txt, .csv, and .evtx formats{Computername}_evt_System.*

Machine memory dump files
Collapse this tableExpand this table
DescriptionFile Name
Mini memory dump files from {Windows}\Minidump folder from past 30 days{Computername}_dmp_*.zip
Information about machine memory dump files, user memory dump files, and memory dump configuration{Computername}_DumpReport.*

Hotfixes and updates
Collapse this tableExpand this table
DescriptionFile Name
Installed updates and hotfixes{Computername}_Hotfixes.*

Basic networking information
Collapse this tableExpand this table
DescriptionFile Name
Basic IP networking configuration information, such as TCP/IP registry key, ipconfig, netstat, nbtstat, and netsh output{Computername}_TcpIp-Info.txt
Basic SMB configuration information, based on the output of the Net.exe utility{Computername}_SMB-Info.txt

File version information
Collapse this tableExpand this table
DescriptionFile Name
File version information from %windir%\cluster\*.*{Computername}_sym_Cluster.*
File version information from %windir%\system32\*.dll{Computername}_sym_System32_dll.*
File version information from %windir%\system32\*.exe{Computername}_sym_System32_exe.*
File version information from %windir%\system32\*.sys{Computername}_sym_System32_sys.*
File version information from %windir%\system32\drivers folder{Computername}_sym_Drivers.*
File version information from %windir%\system32\drivers\*.*{Computername}_sym_SysWOW64_sys.*
File version information from {Program Files (x86}}\*.sys{Computername}_sym_ProgramFilesx86_sys.*
File version information from {Program Files}\*.sys{Computername}_sym_ProgramFiles_sys.*
File version information from {Program Files}\Microsoft iSNS Server\*.* and %windir%\system32\iscsi*.*{Computername}_sym_MS_Iscsi.*
File version information from all drivers that are currently running on the computer{Computername}_sym_RunningDrivers.*
File version information from all processes that are currently running on the computer{Computername}_sym_Process.*
File version information from print spooler folder %windir%\system32\Spool\*.*{Computername}_sym_PrintSpooler.*

Registry keys
Collapse this tableExpand this table
DescriptionFile Name
HKLM\Software\Microsoft\Windows NT\CurrentVersion

HKLM\Software\Microsoft\Windows\CurrentVersion
{Computername}_reg_CurrentVersion.TXT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{Computername}_reg_Uninstall.TXT
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions{Computername}_reg_ProductOptions.TXT
HKLM\System\MountedDevices{Computername}_reg_MountedDevices.*
HKLM\System\CurrentControlSet\Control\CrashControl

HKLM\System\CurrentControlSet\Control\Session Manager

HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management

HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\Software\Microsoft\Windows\Windows Error Reporting

HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
{Computername}_reg_Recovery.TXT
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce

HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\ Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Load

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
{Computername}_reg_Startup.TXT
HKLM\SYSTEM\CurrentControlSet\Control\Print{Computername}_reg_Print.HIV
HKCU\Software\Policies

HKLM\Software\Policies

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
{Computername}_reg_Policies.txt
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
{Computername}_reg_TimeZone.txt
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server Web Access

HKLM\SYSTEM\CurrentControlSet\Services\TermService

HKLM\SYSTEM\CurrentControlSet\Services\TermDD
{Computername}_reg_TermServices.txt
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer

HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation

HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb

HKLM\SYSTEM\CurrentControlSet\Services\SMB

HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb10

HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb20
{Computername}_reg_SMB.txt
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters{Computername}_reg_TCPIPParameters
HKLM\SYSTEM\CurrentControlSet\Services\VSS{Computername}_reg_VSS.TXT
HKLM\SYSTEM\CurrentControlSet\Services\iScsiPrt

HKLM\SOFTWARE\Microsoft\iSCSI Target

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\iSCSI
{Computername}_reg_iSCSI.TXT
HKLM\System\CurrentControlSet\Control\MPDev

HKLM\System\CurrentControlSet\Control\iSCSIPrt

HKLM\System\CurrentControlSet\Services\MSiSCSI

HKLM\System\CurrentControlSet\Services\MSDsm

HKLM\System\CurrentControlSet\Services\MPIO

HKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}

HKLM\System\CurrentControlSet\Services\Tcpip
{Computername}_reg_Storage.TXT
HKLM\SYSTEM\CurrentControlSet\Enum{Computername}_reg_Enum.TXT

Virtualization
Collapse this tableExpand this table
DescriptionFile Name
Basic information about machine virtual environments{Computername}_Virtualization.*

System Information
Collapse this tableExpand this table
DescriptionFile Name
Resultant Set of Policy (RSoP) that is generated by the Gpresult.exe utility{Computername}_GPResult.*
System information - MSInfo32 tool output – .txt and .nfo formats{Computername}_msinfo32.*

When choosing to apply configuration changes in this package, the following values are set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled = 2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\AutoReboot = 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent = 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\Overwrite = 1


Additionally, if the operating system is Windows Vista or Windows Server 2008 or higher, the following values are set:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\IgnorePagefileSize = 1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\AlwaysKeepMemoryDump = 1



Additional information

In addition to the files that are collected and that are listed in this article, this troubleshooter can detect one or more of the following situations:
  • Whether the computer is running in a virtual environment
  • The presence of computer memory dump files within the past 30 days
  • The presence of user mode memory dump files within the past 30 days
  • Problems related to the computer memory dump configuration
  • Unexpected shutdown event logs in the System log within the past 30 days (instances of event 41 from Microsoft-Windows-Kernel-Power)
  • Computer memory dump-related event logs on the System log from the past 30 days (instances of event 1001 from the Save dump file)
  • Prerelease versions of Windows 7 or of Windows Server 2008 R2
  • Evaluation versions of Windows 7 or of Windows Server 2008 R2

References

For more information about the diagnostic tool, click the following article number to go to the article in the Microsoft Knowledge Base:
973559 Frequently asked questions about the Microsoft Support Diagnostic Tool (MSDT) when it is used with Windows 7 or Windows Server 2008 R2
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2027760 - Last Review: April 10, 2014 - Revision: 7.0
Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
  • Windows 8 Pro
  • Windows 8
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows 7 Professional
  • Windows 7 Home Premium
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
Keywords: 
KB2027760

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com