How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2

Article translations Article translations
Article ID: 969028 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Expand all | Collapse all

On This Page

INTRODUCTION

This step-by-step article describes how to generate, gather, check, and analyze kernel and complete memory dump files from a Windows Server 2008-based system.

Note Ideally, you should only do this when you are explicitly asked to do so by a Microsoft Customer Support Services Engineer. Kernel or complete memory dump file debugging should be the last resort after all the standard troubleshooting methods have been exhausted.

If you must contact Microsoft Customer Support and Services (CSS), this article will help you obtain the specific information that is required for CSS to identify the problem.

You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may prevent you from completing this procedure. A manual kernel or complete memory dump file is useful when troubleshooting a number of issues because the process captures a record of system memory at the time of a crash.

Warning Depending on the speed of the hard drive on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. When you initiate the dump file creation procedure, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.

When you restart the computer, the contents of that paging file are written to the dump file. Even in a best case scenario, where the dump file is configured to reside on another local hard drive, there will be a significant amount of data being read and written to the hard drives. This can cause a prolonged server outage.

More information

Paging file

Typically, for regular functionality of your Windows Server 2008-based system, you would set the paging file size on your server. For more information about how to determine the appropriate paging file size, click the following article number to view the article in the Microsoft Knowledge Base:
889654 How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP

Depending on what type of memory dump file that you are trying to collect, the minimum size of the paging file will vary. Windows Server 2008 has three options for memory dump files:
  • Small Memory Dump (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system)
  • Kernel Memory Dump
  • Complete Memory Dump
To enable complete memory dump files on your server, follow these steps:

Step 1: Create a paging file
  1. Click Start, right-click Computer, and then click Properties.
  2. Click Advanced system settings on the System page, and then click the Advanced tab.
  3. Click Settings under the Performance area.
  4. Click the Advanced tab, and then click Change under the Virtual memory area.
  5. Select the system partition where the operating system is installed.

    Note To enable the system partition, you have to click to clear the Automatically manage paging file size for all drives check box.
  6. Set the value of Initial size and Maximum size to the amount of physical RAM that is installed plus 100 megabyte (MB) under the Custom Size button.
  7. Click Set, and then click OK three times.
  8. Restart Windows in order for your changes to take effect.

Partition size

In Windows Server 2003 or earlier versions of Windows, the partition on which the operating system is installed must be at least the size of the amount of physical RAM installed plus 100 megabyte (MB).
For Windows Server 2008, you may have to reduce the physical memory of the computer to produce a valid complete memory dump file. If the computer has more than 4 GB of physical memory or if there is not enough disk space for the paging file on the partition on which the operating system is installed, you may have to reduce the physical RAM of the computer. However, you can avoid this by using another partition as described in the "New behavior in Windows Vista and Windows Server 2008" section. To reduce the physical memory on the computer, use the truncatememory or removememory switches in the BCDEdit.exe file as described in the following TechNet/MSDN-based articles:
Boot Configuration Data Editor Frequently Asked Questions
http://technet.microsoft.com/en-us/library/cc721886.aspx
BCD Boot Options Reference
http://msdn.microsoft.com/en-us/library/aa906217.aspx
Note On a 32-bit version of Windows Server 2008 that has Physical Address Extension (PAE) enabled, the paging file can extended beyond 4 GB (4,096 MB) in size. To verify if PAE is enabled, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  3. Right-click PhysicalAddressExtension, and then click Modify.
  4. In the Edit DWORD Value dialog box, check the value of the PhysicalAddressExtension entry. If the value of the PhysicalAddressExtension entry is zero (0), PAE is disabled. If the value of the PhysicalAddressExtension entry is 1, PAE is enabled.
  5. Restart Windows in order for your changes to take effect.


New behavior in Windows Vista and Windows Server 2008

In Windows Vista and Windows Server 2008, to get a Memory Dump, the paging file does not have to be on the same partition as the partition on which the operating system is installed as was the requirements of previous versions.

To put a paging file on another partition, you must create a new registry entry named
DedicatedDumpFile

You can also define the size of the paging file for the creation of Memory Dumps by using a new registry entry that is named
DumpFileSize

Note DedicatedDumpFile cannot be used to generate a dump file to a spanned volume. This includes striped or RAID 5 volumes.

To create the
DedicatedDumpFile
and
DumpFileSize
registry entries, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
  3. On the Edit menu, point to New, and then click String Value.
  4. In the details pane, type DedicatedDumpFile, and then press ENTER.
  5. Right-click DedicatedDumpFile, and then click Modify.
  6. In the Value data box, type <drive>:\<dedicateddumpfile.sys>, and then click OK.
    Note <drive> is a placeholder for a drive that has enough disk space for the dump file, and <dedicateddumpfile.sys> is a placeholder for the dedicated file and the full path.
  7. On the Edit menu, point to New, and then click DWORD Value.
  8. Type DumpFileSize , and then press ENTER.
  9. Right-click DumpFileSize, and then click Modify.
  10. In the Edit DWORD Value dialog box, click Decimal under Base.
  11. In the Value data box, type the appropriate value, and then click OK.

    Note The size of the dump file is in megabytes.
  12. Right-click DumpFile, and then click Modify.
  13. In the Value data box, type <drive>:\<path>\Memory.dmp, and then click OK.

    Note When the system crashes, this is the location where the memory dump file is created by using the dedicated file instead of by using the Pagefile.sys file. It is possible to use something other than the ".sys" extension on "DedicatedDump.sys", eg: "DedicatedDump.dmp". Since this will not be used as a .DMP file directly when the system bugchecks, naming it with a .DMP extension may become confusing for someone trying to copy the dump file after reboot. Using ".sys" makes it easy to determine that it's not the final location for the dump, but it can work with any name you choose (eg: "DedicatedDump.Ddmp").
  14. Exit Registry Editor.
  15. Restart Windows in order for your changes to take effect.

Note When you use DedicatedDumpFile in Windows Vista and Windows Server 2008, there must be at least one paging file on any of the partitions. The size of the paging file is not important in this case. In Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, you can eliminate this limitation by installing hotfix 2716542. For more information about this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:  
2716542 A hotfix is available that enables a Windows 7-based or Windows Server 2008 R2-based computer to create a memory dump file without a page file
This limitation does not exist in Windows 8 , Windows Server 2012 and later versions.

For more information about Windows Server 2008 and Windows Vista, click the following article number to view the article in the Microsoft Knowledge Base:
950858 Dedicated dump files are unexpectedly truncated to 4 GB on a computer that is running Windows Server 2008 or Windows Vista and that has more than 4 GB of physical memory

If the physical memory of the operating system is larger than the size of the paging file on a Windows Server 2008-based or a Windows Vista SP1-based computer, kernel memory dump files may not be generated. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
949052 Kernel memory dump files may not be generated on Windows Server 2008-based and Windows Vista Service Pack 1-based computers when system memory is larger than the size of the page file

New behavior in Windows 7 and Windows Server 2008 R2

In Windows 7 and Windows Server 2008 R2, to get a Memory Dump, the paging file does not have to be on the same partition as the partition on which the operating system is installed. To put a paging file on another partition, it is not mandatory to use DedicatedDumpFile registry entry.

Paging file on a Dynamic Disk

Dynamic Disk is not recognized as a boot or system volume like other disk volumes. Therefore, if you create a paging file only on volume other than a boot or system volume, the operating system is unable to recognize these volumes when creating the memory dump. This results in failure of generating the memory dumps.

Note The behavior above also applies to DedicatedDumpFile.

Using Retain command in Diskpart command interpreter, you can prepare an existing dynamic volume to be used as a boot or system volume. To use the Retain command, follow these steps:
  1. Open an elevated Command Prompt
  2. At the command prompt, type Diskpart and then press Enter.
  3. At the Diskpart prompt, type list vol, and then press Enter.
  4. Note the volume number for which you created the paging file.
  5. Type select vol #, and then press Enter. (The # represents the volume number noted in step 4.)
  6. Type retain, and then press Enter.
  7. Type detail vol, and then press Enter (Check for the parameter called Installable and it should be set to Yes.)

    Note The Installable parameter is only available in Windows Server 2008 R2 and newer operating system.
  8. Restart the computer.
Note You can use the Retain command on 4 different volumes at maximum. If you need to run the command for other volumes after reaching the limit of 4, you need to delete the volumes on which the Retain command was used previously.

For more information on Retain command, click the following article number to view the article in the Microsoft Knowledge Base:

300415 A Description of the Diskpart Command-Line Utility

Also, check the following TechNet article:

http://technet.microsoft.com/en-us/library/cc755127.aspx


Paging file referential order

When you try to create a dump file by using a paging file that exists on a volume other than a boot volume (by default, the C: drive), you may not be able to create the dump file as expected even though you reserve enough paging file size. There may not be a proper paging file referential order. To check if the expected volume is taking precedence over other volumes in the paging file referential order, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\MemoryManagement
  3. Double-click PagingFiles.
  4. Verify value data to see if the expected volume path is in the first row.

If you need to change the order, follow these steps:
  1. Click Start, click Run, type Regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\MemoryManagement
  3. Right-click PagingFiles, and then click Modify.
  4. Move the relevant volume pass to the top of the box.
  5. Exit Registry Editor.
  6. Restart Windows to make the change take effect.

Step 2: Create a complete memory dump file
  1. Click Start, right-click Computer, and then click Properties.
  2. Click Advanced system settings on the System page, and then click the Advancedtab.
  3. Click Settings under the Writing debugging information area, and then make sure Complete memory dump is selected.
Note By default, Complete memory dump is disabled. You can enable the option if your computer has more than 2 GB of physical RAM.

Note If you want to enable the Complete memory dump option, manually set the CrashDumpEnabled registry entry to 0x1 under the following registry subkey and restart Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
885117 "Kernel Memory Dump" is displayed in Startup and Recovery, but a complete memory dump is performed in Windows 2000 or in Windows Server 2003

Disk space

There must be enough free space in the selected location to write the memory dump file. By default, the memory dump file is written to the %SystemRoot%\Memory.dmp file. If there is not enough free space on the %SystemRoot% drive, you can redirect the dump file to another location that has enough free space. If the free disk space on the dump-file destination volume is not enough to accommodate a new dump file, the dump file is not copied and an Event ID 12 is logged in the System event log. The dump path is configured in the "DumpFile" registry value under the "HKLM\SYSTEM\CurrentControlSet\Control\Crash control" location. The following is the Event ID 12 that is logged in the System event log:

Event ID: 12
Description: The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.



To change the dump file path in the Startup and Recovery options on a Windows Server 2008-based computer, follow these steps:
  1. Click Start, right-click Computer, and then click Properties.
  2. Click Advanced system settings on the System page, and then click the Advanced tab.
  3. Click Settings under the Writing debugging information area, and then replace the path with an appropriate value in the Dump file field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp.
  4. Restart Windows in order for the change to take effect.
Note A network drive, a shared drive, or a Network Attached Storage (NAS) drive cannot be used as a destination for a memory dump file because it might not be available before the file copy begins.

Hotfixes for Windows Server 2008 SP1

The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2008 with SP1:
    960658 Windows Server 2008 systems may generate a truncated dump file if the system supports Dynamic Hardware Partitioning (DHP) and if memory is hot added

    Notes
    • This hotfix updates the Crashdmp.sys file, which replaces the hotfix that is mentioned in Knowledge Base articles 950858 and 958933.
    • This hotfix updates the Ntkrnlpa.exe file or the Ntkrnlmp.exe file, which replaces the hotfix that is mentioned in Knowledge Base article 950917.

  • 950904 The system stops responding, and no dump file is generated when a computer that is running Windows Vista or Windows Server 2008 receives a nonmaskable interrupt

    Note This hotfix updates the Ipmidrv.sys file.
  • 953533 A computer that is running an x86 version of Windows Vista or of Windows Server 2008 on an IDE/ATA disk does not generate a valid dump file when PAE mode is enabled

    Note This hotfix updates the Dumpata.sys, Aliide.sys, Amdide.sys, Atapi.sys, Ataport.sys, Cmdide.sys, Intelide.sys, Msahci.sysm, Mshdc.inf, Pciide.sys, Pciidex.sys, and Viaide.sys files.
  • 955635 The page file size may become alternately too small or too large when you start Windows Server 2008 or Windows Vista if there is no available free disk space, and the page file size is managed by the system

    Note This hotfix updates the Smss.exe file, which replaces the hotfix that is mentioned in Knowledge Base article 953341.
  • 957517 A dedicated complete memory dump file may not be successfully generated if the volume that stores the dedicated dump file has insufficient free space

    Note This hotfix updates the Faultrep.dll, Werfault.exe, and Werfaultsecure.exe files.

Methods to generate a manual memory dump file

There are several methods to generate a manual kernel or complete memory dump file. These methods include using the NMI, keyboard (PS2/USB), remote kernel, or NotMyFault.exe tools.

How to generate a manual memory dump by using the NotMyFault tool

If you can log on while the problem is occurring, you can use the Microsoft SysInternals NotMyFault tool. To do this, follow these steps:
  1. Download the NotMyFault tool from the following Microsoft Web site:
    http://download.sysinternals.com/files/NotMyFault.zip
  2. Click Start, locate and right-click Command Prompt, and then click Run as administrator.
  3. At the command line, type NotMyFault.exe /crash, and then press ENTER.
Note This will generate a memory dump file and a "Stop D1" error.

How to generate a manual memory dump file by using the keyboard

  • If you are using a PS/2 keyboard, you have to create the
    CrashOnCtrlScroll
    registry entry. For more information about how to generate a memory dump file by using the keyboard, click the following article number to view the article in the Microsoft Knowledge Base:
    244139 Windows feature lets you generate a memory dump file by using the keyboard
  • If you are using a USB keyboard, this feature is not supported in Windows Server 2008 Service Pack 1 until you install hotfix KB 971284. For more information about using the hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
    971284 A hotfix is available to enable crash on CTRL-SCROLL support on Vista S about using the hotfix and Windows Server 2008 on a USB keyboard
    However, it is supported in Windows Server 2008 Service Pack 2 or later versions. You must create the CrashOnCtrlScroll registry entry on the Windows Server 2008-based computer for this feature to work. To enable the feature on a computer that uses a USB keyboard, follow these steps:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
    3. On the Edit menu, click Add Value, and then add the following registry entry.
      Name : CrashOnCtrlScroll 
      Data Type : REG_DWORD 
      Value : 1 
    4. Exit Registry Editor.
    5. Restart the computer. (On a computer that uses a USB keyboard, you do not have to restart the computer. Unplugging the keyboard and plugging it back again is sufficient. After that, the Memory dump file can be generated.)
    Note The keyboard operation will generate a memory dump file and a "Stop E2" error.
    This hotfix is included in Service Pack 2 for Windows Vista and Windows Server 2008.

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
927069 How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

Note This will generate a memory dump file and a "Stop 80" error.

How to generate a manual memory dump by using a remote debugger

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
303021 How to Generate a Memory Dump File When a Server Stops Responding (Hangs)

Note In WinDbg, you can use the .crash command. This command creates the memory dump file on the target computer. Or, if you want to copy the memory dump file by using a null modem, USB, or IEEE 1394, use the .dump command.

BIOS level server hardware recovery mechanism

Some computers have a feature at the BIOS level to do hardware recovery. For example, a computer may have one of the following features:
  • An Automatic System Recovery (ASR) feature is available on some Hewlett Packard (HP) servers. If ASR exists, disable it. ASR can interrupt the dump process. On an HP server, you can disable ASR by modifying the BIOS settings. If this feature is enabled and if the BIOS does not detect a heartbeat from the operating system, it typically restarts the computer within 10 minutes.
  • Dell computers have the same feature, and it is called Dell Special Administration Console (SAC) or !SAC.
  • IBM computers have the same feature, and it is called RSA II (OS) watchdogs.
  • Fujitsu, NEC, Samsung, Unisys, and other server hardware manufacturers may have a similar feature in their servers.
Note If you are uncertain whether your hardware has a hardware recovery feature, contact the hardware manufacturer.

Testing whether you can obtain a manual memory dump

Warning It is critical that you test whether you can obtain a manual memory dump file. If a dump file is corrupted or truncated, the problem must occur again for you to obtain a good memory dump file.

To test whether you can obtain a good dump file on a computer, use NotMyFault, or press the RIGHT CTRL key while you press the SCROLL LOCK key two times. After the server restarts, wait for disk activity to stop. The dump file should be the same size as physical memory. If you have problems obtaining a manual memory dump file, you may have to update the SCSI controller firmware and driver from the hardware vendor.

Obtaining Blue Screen information after generating a memory dump file

You can configure a Windows-based operating system to write an event log message with bugcheck information. By default, Windows Server 2008 is set to write event log messages. You can disable this feature by creating a LogEvent registry entry and setting it to 0 under the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
Note The description and format of the event log differs from the format that is displayed when the computer is writing the memory dump file. However, the majority of the information is the same. The following is a sample of the event log:

Event ID: 1001 Source: BugCheck Description: The computer has rebooted from a bugcheck. The bugcheck was : 0xc00000E2 (0xffffffffffffffff, 0x0000000000000001, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 022309-16598-01

How to use DumpChk.exe to check a memory dump file

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
156280 How to Use Dumpchk.exe to check a memory dump file

How to obtain a utility to automate the registry keys and paging files

  1. Download DumpConfigurator.hta from the following Microsoft Web site:
    http://www.codeplex.com/WinPlatTools/SourceControl/changeset/view/14600#256939
  2. Click Download, and then click I Agree after you read the Microsoft Software License Terms.
  3. Save the WInPlatTools-14600.zip file, and then extract the DumpConfigurator.hta utility.
  4. Click DumpConfigurator.hta, and then click Auto Config Complete.

How to read the memory dump files that Windows creates for debugging

To download and install the latest version of the Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
315263 How to read the small memory dump files that Windows creates for debugging

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824344 How to debug Windows services

For more information about debugging in Windows, see the following books:

How to verify Windows debug symbols

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
311503 Use the Microsoft Symbol Server to obtain debug symbol files
138258 Windows NT Debug Symbol Setup Information
148659 How to Set Up Windows NT Debug Symbols
148660 How to Verify Windows Debug Symbols
258205 How To Use Rebase to Extract Symbols for DrWtSn32.exe
296110 INFO: How to Install the Debug Symbols for Use with Visual Studio Products
319037 How to use a symbol server with the Visual Studio .NET debugger
814411 Hotfix Packages Do Not Include Debug Symbol Files

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 969028 - Last Review: January 22, 2014 - Revision: 15.0
Applies to
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Business
  • Windows Vista Ultimate
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Service Pack 1
  • Windows 7 Service Pack 1
Keywords: 
kbsurveynew kbexpertiseadvanced kbhowto KB969028

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com