How to generate a kernel or a complete memory dump file in Windows Server 2008

This step-by-step article describes how to generate, gather, check, and analyze kernel and complete memory dump files from a Windows Server 2008-based system.

Note Ideally, you should only do this when you are explicitly asked to do so by a Microsoft Customer Support Services Engineer. Kernel or complete memory dump file debugging should be the last resort after all the standard troubleshooting methods have been exhausted.

If you must contact Microsoft Customer Support and Services (CSS), this article will help you obtain the specific information that is required for CSS to identify the problem.

You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may prevent you from completing this procedure. A manual kernel or complete memory dump file is useful when troubleshooting a number of issues because the process captures a record of system memory at the time of a crash.

Warning Depending on the speed of the hard drive on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. When you initiate the dump file creation procedure, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.

When you restart the computer, the contents of that paging file are written to the dump file. Even in a best case scenario, where the dump file is configured to reside on another local hard drive, there will be a significant amount of data being read and written to the hard drives. This can cause a prolonged server outage.

Paging file

Typically, for regular functionality of your Windows Server 2008-based system, you would set the paging file size on your server. For more information about how to determine the appropriate paging file size, click the following article number to view the article in the Microsoft Knowledge Base:
Depending on what type of memory dump file that you are trying to collect, the minimum size of the paging file will vary. Windows Server 2008 has three options for memory dump files:

• Small Memory Dump (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system)
• Kernel Memory Dump
• Complete Memory Dump

To enable complete memory dump files on your server, follow these steps:

Step 1: Create a paging file

1. Click Start, right-click Computer, and then click Properties.
2. Click Advanced system settings on the System page, and then click the Advanced tab.
3. Click Settings under the Performance area.
4. Click the Advanced tab, and then click Change under the Virtual memory area.
5. Select the system partition where the operating system is installed.
   
   Note To enable the system partition, you have to click to clear the Automatically manage paging file size for all drives check box.
6. Set the value of Initial size and Maximum size to the amount of physical RAM that is installed plus 1 megabyte (MB) under the Custom Size button.
7. Click Set, and then click OK three times.

Partition size

In Windows Server 2003 or earlier versions of Windows, the partition on which the operating system is installed must be at least the size of the amount of physical RAM installed plus 1 megabyte (MB).
For Windows Server 2008, you may have to reduce the physical memory of the computer to produce a valid complete memory dump file. If the computer has more than 4 GB of physical memory or if there is not enough disk space for the paging file on the partition on which the operating system is installed, you may have to reduce the physical RAM of the computer. However, you can avoid this by using another partition as described in the "New behavior in Windows Vista and Windows Server 2008" section. To reduce the physical memory on the computer, use the truncatememory or removememory switches in the BCDEdit.exe file as described in the following TechNet/MSDN-based articles: Note On a 32-bit version of Windows Server 2008 that has Physical Address Extension (PAE) enabled, the paging file can extended beyond 4 GB (4,096 MB) in size. To verify if PAE is enabled, follow these steps:

1. Click Start, click Run, type Regedit, and then click OK.
2. Locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
3. Right-click PhysicalAddressExtension, and then click Modify.
4. In the Edit DWORD Value dialog box, check the value of the PhysicalAddressExtension entry. If the value of the PhysicalAddressExtension entry is zero (0), PAE is disabled. If the value of the PhysicalAddressExtension entry is 1, PAE is enabled.

New behavior in Windows Vista and Windows Server 2008

In Windows Vista and Windows Server 2008, the paging file does not have to be on the same partition as the partition on which the operating system is installed. To put a paging file on another partition, you must create a new registry entry named DedicatedDumpFile. You can also define the size of the paging file by using a new registry entry that is named DumpFileSize. To create the DedicatedDumpFile and DumpFileSize registry entries, follow these steps:

1. Click Start, click Run, type Regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
3. On the Edit menu, point to New, and then click String Value.
4. In the details pane, type DedicatedDumpFile, and then press ENTER.
5. Right-click DedicatedDumpFile, and then click Modify.
6. In the Value data box, type <drive>:\<dedicateddumpfile.sys>, and then click OK.
   Note <drive> is a placeholder for a drive that has enough disk space for the paging file, and <dedicateddumpfile.sys> is a placeholder for the dedicated file and the full path.
7. On the Edit menu, point to New, and then click DWORD Value.
8. Type DumpFileSize , and then press ENTER.
9. Right-click DumpFileSize, and then click Modify.
10. In the Edit DWORD Value dialog box, click Decimal under Base.
11. In the Value data box, type the appropriate value, and then click OK.
    
    Note The size of the dump file is in megabytes.
12. Exit Registry Editor.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
If the physical memory of the operating system is larger than the size of the paging file on a Windows Server 2008-based or a Windows Vista SP1-based computer, kernel memory dump files may not be generated. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Step 2: Create a complete memory dump file

1. Click Start, right-click Computer, and then click Properties.
2. Click Advanced system settings on the System page, and then click the Advanced tab.
3. Click Settings under the Writing debugging information area, and then make sure Complete memory dump is selected.

Note By default, Complete memory dump is disabled. You can enable the option if your computer has more than 2 GB of physical RAM.

Note If you want to enable the Complete memory dump option, manually set the CrashDumpEnabled registry entry under the following registry subkey: For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Disk space

There must be enough free space in the selected location to write the memory dump file. By default, the memory dump file is written to the %SystemRoot%\Memory.dmp file. If there is not enough free space on the %SystemRoot% drive, you can redirect the dump file to another location that has enough free space. If the free disk space on the dump-file destination volume is not enough to accommodate a new dump file, the dump file is not copied and an Event ID 12 is logged in the System event log. The dump path is configured in the "DumpFile" registry value under the "HKLM\SYSTEM\CurrentControlSet\Control\Crash control" location. The following is the Event ID 12 that is logged in the System event log:

Event ID: 12
Description: The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.

To change the dump file path in the Startup and Recovery options on a Windows Server 2008-based computer, follow these steps:

1. Click Start, right-click Computer, and then click Properties.
2. Click Advanced system settings on the System page, and then click the Advanced tab.
3. Click Settings under the Writing debugging information area, and then replace the path with an appropriate value in the Dump file field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp.

Note A network drive, a shared drive, or a network access server (NAS) drive cannot be used as a destination for a memory dump file because it might not be available before the file copy begins.

Hotfixes for Windows Server 2008 SP1

The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2008 with SP1:

960658   (http://support.microsoft.com/kb/960658/ ) Windows Server 2008 systems may generate a truncated dump file if the system supports Dynamic Hardware Partitioning (DHP) and if memory is hot added

Notes
• This hotfix updates the Crashdmp.sys file, which replaces the hotfix that is mentioned in Knowledge Base articles 950858 and 958933.
• This hotfix updates the Ntkrnlpa.exe file or the Ntkrnlmp.exe file, which replaces the hotfix that is mentioned in Knowledge Base article 950917.


• 950904   (http://support.microsoft.com/kb/950904/ ) The system stops responding, and no dump file is generated when a computer that is running Windows Vista or Windows Server 2008 receives a nonmaskable interrupt
  
  Note This hotfix updates the Ipmidrv.sys file.
• 953533   (http://support.microsoft.com/kb/953533/ ) A computer that is running an x86 version of Windows Vista or of Windows Server 2008 on an IDE/ATA disk does not generate a valid dump file when PAE mode is enabled
  
  Note This hotfix updates the Dumpata.sys, Aliide.sys, Amdide.sys, Atapi.sys, Ataport.sys, Cmdide.sys, Intelide.sys, Msahci.sysm, Mshdc.inf, Pciide.sys, Pciidex.sys, and Viaide.sys files.
• 955635   (http://support.microsoft.com/kb/955635/ ) The page file size may become alternately too small or too large when you start Windows Server 2008 or Windows Vista if there is no available free disk space, and the page file size is managed by the system
  
  Note This hotfix updates the Smss.exe file, which replaces the hotfix that is mentioned in Knowledge Base article 953341.
• 957517   (http://support.microsoft.com/kb/957517/ ) A dedicated complete memory dump file may not be successfully generated if the volume that stores the dedicated dump file has insufficient free space
  
  Note This hotfix updates the Faultrep.dll, Werfault.exe, and Werfaultsecure.exe files.

Methods to generate a manual memory dump file

There are several methods to generate a manual kernel or complete memory dump file. These methods include using the NMI, keyboard (PS2/USB), remote kernel, or NotMyFault.exe tools.

How to generate a manual memory dump by using the NotMyFault tool

If you can log on while the problem is occurring, you can use the Microsoft SysInternals NotMyFault tool. To do this, follow these steps:

1. Download the NotMyFault tool from the following Microsoft Web site:
   http://download.sysinternals.com/Files/Notmyfault.zip (http://download.sysinternals.com/files/notmyfault.zip)
2. Click Start, locate and right-click Command Prompt, and then click Run as administrator.
3. At the command line, type NotMyfault.exe /crash, and then press ENTER.

Note This will generate a memory dump file and a "Stop D1" error.

How to generate a manual memory dump file by using the keyboard

• If you are using a PS/2 keyboard, you have to create the CrashOnCtrlScroll registry entry. For more information about how to generate a memory dump file by using the keyboard, click the following article number to view the article in the Microsoft Knowledge Base:
  244139  (http://support.microsoft.com/kb/244139/ ) Windows feature lets you generate a memory dump file by using the keyboard
• If you are using a USB keyboard, this feature is not supported in Windows Server 2008 Service Pack 1 until you install hotfix KB 971284. For more information about using the hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
  971284  (http://support.microsoft.com/kb/971284/ ) A hotfix is available to enable crash on CTRL-SCROLL support on Vista S about using the hotfix and Windows Server 2008 on a USB keyboard
  However, it is supported in Windows Server 2008 Service Pack 2 or later versions. You must create the CrashOnCtrlScroll registry entry on the Windows Server 2008-based computer for this feature to work. To enable the feature on a computer that uses a USB keyboard, follow these steps:
  1. Start Registry Editor.
  2. Locate and then click the following registry subkey:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
  3. On the Edit menu, click Add Value, and then add the following registry entry.

     Name : CrashOnCtrlScroll 
     Data Type : REG_DWORD 
     Value : 1 

  4. Exit Registry Editor.
  5. Restart the computer. (On a computer that uses a USB keyboard, you do not have to restart the computer. Unplugging the keyboard and plugging it back again is sufficient. After that, the Memory dump file can be generated.)
  Note The keyboard operation will generate a memory dump file and a "Stop E2" error.

How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Note This will generate a memory dump file and a "Stop 80" error.

How to generate a manual memory dump by using a remote debugger

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Note In WinDbg, you can use the .crash command. This command creates the memory dump file on the target computer. Or, if you want to copy the memory dump file by using a null modem, USB, or IEEE 1394, use the .dump command.

BIOS level server hardware recovery mechanism

Some computers have a feature at the BIOS level to do hardware recovery. For example, a computer may have one of the following features:

• An Automatic System Recovery (ASR) feature is available on some Hewlett Packard (HP) servers. If ASR exists, disable it. ASR can interrupt the dump process. On an HP server, you can disable ASR by modifying the BIOS settings. If this feature is enabled and if the BIOS does not detect a heartbeat from the operating system, it typically restarts the computer within 10 minutes.
• Dell computers have the same feature, and it is called Dell Special Administration Console (SAC) or !SAC.
• IBM computers have the same feature, and it is called RSA II (OS) watchdogs.
• Fujitsu, NEC, Samsung, Unisys, and other server hardware manufacturers may have a similar feature in their servers.

Note If you are uncertain whether your hardware has a hardware recovery feature, contact the hardware manufacturer.

Testing whether you can obtain a manual memory dump

Warning It is critical that you test whether you can obtain a manual memory dump file. If a dump file is corrupted or truncated, the problem must occur again for you to obtain a good memory dump file.

To test whether you can obtain a good dump file on a computer, use NotMyFault, or press the RIGHT CTRL key while you press the SCROLL LOCK key two times. After the server restarts, wait for disk activity to stop. The dump file should be the same size as physical memory. If you have problems obtaining a manual memory dump file, you may have to update the SCSI controller firmware and driver from the hardware vendor.

Obtaining Blue Screen information after generating a memory dump file

You can configure a Windows-based operating system to write an event log message with bugcheck information. By default, Windows Server 2008 is set to write event log messages. You can disable this feature by creating a LogEvent registry entry and setting it to 0 under the following registry subkey:Note The description and format of the event log differs from the format that is displayed when the computer is writing the memory dump file. However, the majority of the information is the same. The following is a sample of the event log:

Event ID: 1001 Source: BugCheck Description: The computer has rebooted from a bugcheck. The bugcheck was : 0xc00000E2 (0xffffffffffffffff, 0x0000000000000001, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 022309-16598-01

How to use DumpChk.exe to check a memory dump file

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

How to obtain a utility to automate the registry keys and paging files

1. Download DumpConfigurator.hta from the following Microsoft Web site:
   http://www.codeplex.com/WinPlatTools/SourceControl/changeset/view/14600#256939 (http://www.codeplex.com/WinPlatTools/SourceControl/changeset/view/14600#256939)
2. Click Download, and then click I Agree after you read the Microsoft Software License Terms.
3. Save the WInPlatTools-14600.zip file, and then extract the DumpConfigurator.hta utility.
4. Click DumpConfigurator.hta, and then click Auto Config Complete.

How to read the memory dump files that Windows creates for debugging

To download and install the latest version of the Windows debugging tools, visit the following Microsoft Web site: For more information, click the following article number to view the article in the Microsoft Knowledge Base:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about debugging in Windows, see the following books:

• Windows Internals, Fifth Edition by Mark Russinovich. For more information, visit the following Microsoft Web site:
  http://www.microsoft.com/learning/en/us/Books/12069.aspx (http://www.microsoft.com/learning/en/us/Books/12069.aspx)
• Advanced Windows Debugging by Mario Hewardt and Daniel Pravat. For more information, visit the following Microsoft Web site:
  http://advancedwindowsdebugging.com (http://advancedwindowsdebugging.com)

How to verify Windows debug symbols

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.