09 December 2011
How generate a memory dump in Windows ?
Sent Memory dump instructions
Below are the steps to ensure Windows is Properly Configured to Produce a Memory Dump:
It is best to use a machine that has 2GB RAM or less for this process.
Before proceeding any further, be sure to read the following Microsoft document: http://support.microsoft.com/kb/254649
The above document is an overview of the memory dump process per Microsoft and is considered "Best Practice" for this task.
First, ensure that Windows is set to collect complete memory dumps:
1. Under "Startup and Recovery" click the Settings button
2. Under "Write debugging information" select "Complete memory dump" from the drop down list box
3. Check the box "Overwrite any existing file"
4. Click OK
5. You may get a message about pagefile requirements -- if so, click Yes
6. Click OK
Next, enable pool tagging to enhance the dump:
1. Run the Gflags.exe utility. Gflags is installed by default on newer Microsoft operating systems. If it is not on your system look in the SupportTools directory of your operating system media.
See the following Microsoft document: http://msdn.microsoft.com/en-us/library/cc265942.aspx
2. Check the box "Enable pool tagging"
3. Click OK
4. Reboot your computer when prompted, or reboot manually later -- but you must reboot for the changes to take effect
Set Windows to “Force” a crash:
There are many ways to force a machine to crash and create a memory dump. I recommend using the first method when possible, as it is the official Microsoft recommendation for doing the manual dump. A reboot is required for the first method to be active.
> If the machine is Windows 2000, XP, 2003, or Vista there is a special registry key that you can set. Then you press a special key combination at any time to force a manual blue screen. For complete details using PS/2 Keyboard or USB keyboard, see Microsoft article: http://support.microsoft.com/kb/244139
> If the machine is Windows NT or newer you can use OSR Online's "Bang! -- Crash on Demand Utility". This is a little utility that installs a dummy driver to crash the machine. Note that this may need to be uninstalled manually -- read the accompanying documentation for details. See OSR Online article: http://www.osronline.com/article.cfm?article=153
> If you are debugging the machine with WinDbg, use the ".crash" command to initiate a manual crash.
After setting up the on demand crash, replicate the issue with high CPU usage and then force the machine to crash, which will generate a blue screen and write a memory dump.
After the blue screen:
When the blue screen occurs it will write the contents of system memory to the page file. On reboot a process called "savedump.exe" will copy the contents from the page file to the MEMORY.DMP file on disk. Do not interrupt the savedump.exe process while it is running, otherwise the MEMORY.DMP file will be truncated and possibly corrupted. You may wish to watch the process in Task Manager until it is completed to ensure the memory dump is completely written.
The resulting MEMORY.DMP file can be quite large. However most of the contents are zeroed memory, so it should compress with WinZip or WinRAR to a much smaller size. A one gigabyte memory dump will usually compress down to 100-300 megabytes, which will allow for much easier transfer across the network.