Article ID: 969028 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
This step-by-step article describes how to generate, gather, check, and analyze kernel and complete memory dump files from a Windows Server 2008-based system.
Note Ideally, you should only do this when you are explicitly asked to do so by a Microsoft Customer Support Services Engineer. Kernel or complete memory dump file debugging should be the last resort after all the standard troubleshooting methods have been exhausted.
If you must contact Microsoft Customer Support and Services (CSS), this article will help you obtain the specific information that is required for CSS to identify the problem.
You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may prevent you from completing this procedure. A manual kernel or complete memory dump file is useful when troubleshooting a number of issues because the process captures a record of system memory at the time of a crash.
Warning Depending on the speed of the hard drive on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. When you initiate the dump file creation procedure, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.
When you restart the computer, the contents of that paging file are written to the dump file. Even in a best case scenario, where the dump file is configured to reside on another local hard drive, there will be a significant amount of data being read and written to the hard drives. This can cause a prolonged server outage.
Paging fileTypically, for regular functionality of your Windows Server 2008-based system, you would set the paging file size on your server. For more information about how to determine the appropriate paging file size, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/889654/ )How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP
Depending on what type of memory dump file that you are trying to collect, the minimum size of the paging file will vary. Windows Server 2008 has three options for memory dump files:
Step 1: Create a paging file
Partition sizeIn Windows Server 2003 or earlier versions of Windows, the partition on which the operating system is installed must be at least the size of the amount of physical RAM installed plus 100 megabyte (MB).
For Windows Server 2008, you may have to reduce the physical memory of the computer to produce a valid complete memory dump file. If the computer has more than 4 GB of physical memory or if there is not enough disk space for the paging file on the partition on which the operating system is installed, you may have to reduce the physical RAM of the computer. However, you can avoid this by using another partition as described in the "New behavior in Windows Vista and Windows Server 2008" section. To reduce the physical memory on the computer, use the truncatememory or removememory switches in the BCDEdit.exe file as described in the following TechNet/MSDN-based articles:
Boot Configuration Data Editor Frequently Asked Questions
BCD Boot Options ReferenceNote On a 32-bit version of Windows Server 2008 that has Physical Address Extension (PAE) enabled, the paging file can extended beyond 4 GB (4,096 MB) in size. To verify if PAE is enabled, follow these steps:
New behavior in Windows Vista and Windows Server 2008In Windows Vista and Windows Server 2008, to get a Memory Dump, the paging file does not have to be on the same partition as the partition on which the operating system is installed as was the requirements of previous versions.
To put a paging file on another partition, you must create a new registry entry named
You can also define the size of the paging file for the creation of Memory Dumps by using a new registry entry that is named
Note DedicatedDumpFile cannot be used to generate a dump file to a spanned volume. This includes striped or RAID 5 volumes.
To create the
DumpFileSizeregistry entries, follow these steps:
Note When you use DedicatedDumpFile in Windows Vista and Windows Server 2008, there must be at least one paging file on any of the partitions. The size of the paging file is not important in this case. In Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, you can eliminate this limitation by installing hotfix 2716542. For more information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
2716542This limitation does not exist in Windows 8 , Windows Server 2012 and later versions.
(http://support.microsoft.com/kb/2716542/ )A hotfix is available that enables a Windows 7-based or Windows Server 2008 R2-based computer to create a memory dump file without a page file
For more information about Windows Server 2008 and Windows Vista, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/950858/ )Dedicated dump files are unexpectedly truncated to 4 GB on a computer that is running Windows Server 2008 or Windows Vista and that has more than 4 GB of physical memory
If the physical memory of the operating system is larger than the size of the paging file on a Windows Server 2008-based or a Windows Vista SP1-based computer, kernel memory dump files may not be generated. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/949052/ )Kernel memory dump files may not be generated on Windows Server 2008-based and Windows Vista Service Pack 1-based computers when system memory is larger than the size of the page file
New behavior in Windows 7 and Windows Server 2008 R2In Windows 7 and Windows Server 2008 R2, to get a Memory Dump, the paging file does not have to be on the same partition as the partition on which the operating system is installed. To put a paging file on another partition, it is not mandatory to use DedicatedDumpFile registry entry.
Paging file on a Dynamic DiskDynamic Disk is not recognized as a boot or system volume like other disk volumes. Therefore, if you create a paging file only on volume other than a boot or system volume, the operating system is unable to recognize these volumes when creating the memory dump. This results in failure of generating the memory dumps.
Note The behavior above also applies to DedicatedDumpFile.
Using Retain command in Diskpart command interpreter, you can prepare an existing dynamic volume to be used as a boot or system volume. To use the Retain command, follow these steps:
For more information on Retain command, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/300415/ )A Description of the Diskpart Command-Line Utility
Also, check the following TechNet article:
Paging file referential orderWhen you try to create a dump file by using a paging file that exists on a volume other than a boot volume (by default, the C: drive), you may not be able to create the dump file as expected even though you reserve enough paging file size. There may not be a proper paging file referential order. To check if the expected volume is taking precedence over other volumes in the paging file referential order, follow these steps:
If you need to change the order, follow these steps:
Step 2: Create a complete memory dump file
Note If you want to enable the Complete memory dump option, manually set the CrashDumpEnabled registry entry to 0x1 under the following registry subkey and restart Windows:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/885117/ )"Kernel Memory Dump" is displayed in Startup and Recovery, but a complete memory dump is performed in Windows 2000 or in Windows Server 2003
Disk spaceThere must be enough free space in the selected location to write the memory dump file. By default, the memory dump file is written to the %SystemRoot%\Memory.dmp file. If there is not enough free space on the %SystemRoot% drive, you can redirect the dump file to another location that has enough free space. If the free disk space on the dump-file destination volume is not enough to accommodate a new dump file, the dump file is not copied and an Event ID 12 is logged in the System event log. The dump path is configured in the "DumpFile" registry value under the "HKLM\SYSTEM\CurrentControlSet\Control\Crash control" location. The following is the Event ID 12 that is logged in the System event log:
Event ID: 12
To change the dump file path in the Startup and Recovery options on a Windows Server 2008-based computer, follow these steps:
Hotfixes for Windows Server 2008 SP1The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2008 with SP1:
(http://support.microsoft.com/kb/960658/ )Windows Server 2008 systems may generate a truncated dump file if the system supports Dynamic Hardware Partitioning (DHP) and if memory is hot added
Methods to generate a manual memory dump fileThere are several methods to generate a manual kernel or complete memory dump file. These methods include using the NMI, keyboard (PS2/USB), remote kernel, or NotMyFault.exe tools.
How to generate a manual memory dump by using the NotMyFault toolIf you can log on while the problem is occurring, you can use the Microsoft SysInternals NotMyFault tool. To do this, follow these steps:
How to generate a manual memory dump file by using the keyboard
How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based systemFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/927069/ )How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
Note This will generate a memory dump file and a "Stop 80" error.
How to generate a manual memory dump by using a remote debuggerFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/303021/ )How to Generate a Memory Dump File When a Server Stops Responding (Hangs)
Note In WinDbg, you can use the .crash command. This command creates the memory dump file on the target computer. Or, if you want to copy the memory dump file by using a null modem, USB, or IEEE 1394, use the .dump command.
BIOS level server hardware recovery mechanismSome computers have a feature at the BIOS level to do hardware recovery. For example, a computer may have one of the following features:
Testing whether you can obtain a manual memory dumpWarning It is critical that you test whether you can obtain a manual memory dump file. If a dump file is corrupted or truncated, the problem must occur again for you to obtain a good memory dump file.
To test whether you can obtain a good dump file on a computer, use NotMyFault, or press the RIGHT CTRL key while you press the SCROLL LOCK key two times. After the server restarts, wait for disk activity to stop. The dump file should be the same size as physical memory. If you have problems obtaining a manual memory dump file, you may have to update the SCSI controller firmware and driver from the hardware vendor.
Obtaining Blue Screen information after generating a memory dump fileYou can configure a Windows-based operating system to write an event log message with bugcheck information. By default, Windows Server 2008 is set to write event log messages. You can disable this feature by creating a LogEvent registry entry and setting it to 0 under the following registry subkey:
Note The description and format of the event log differs from the format that is displayed when the computer is writing the memory dump file. However, the majority of the information is the same. The following is a sample of the event log:
Event ID: 1001 Source: BugCheck Description: The computer has rebooted from a bugcheck. The bugcheck was : 0xc00000E2 (0xffffffffffffffff, 0x0000000000000001, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 022309-16598-01
How to use DumpChk.exe to check a memory dump fileFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/156280/ )How to Use Dumpchk.exe to check a memory dump file
How to obtain a utility to automate the registry keys and paging files
How to read the memory dump files that Windows creates for debuggingTo download and install the latest version of the Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspxFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/315263/ )How to read the small memory dump files that Windows creates for debugging
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824344/ )How to debug Windows services
For more information about debugging in Windows, see the following books:
How to verify Windows debug symbolsFor more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/311503/ )Use the Microsoft Symbol Server to obtain debug symbol files
(http://support.microsoft.com/kb/138258/ )Windows NT Debug Symbol Setup Information
(http://support.microsoft.com/kb/148659/ )How to Set Up Windows NT Debug Symbols
(http://support.microsoft.com/kb/148660/ )How to Verify Windows Debug Symbols
(http://support.microsoft.com/kb/258205/ )How To Use Rebase to Extract Symbols for DrWtSn32.exe
(http://support.microsoft.com/kb/296110/ )INFO: How to Install the Debug Symbols for Use with Visual Studio Products
(http://support.microsoft.com/kb/319037/ )How to use a symbol server with the Visual Studio .NET debugger
(http://support.microsoft.com/kb/814411/ )Hotfix Packages Do Not Include Debug Symbol Files
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 969028 - Last Review: January 22, 2014 - Revision: 15.0
Contact us for more help
Connect with Answer Desk for expert help.