How to Read Kernel Memory Dump Windows 7
This browser is no longer supported.
Upgrade to Microsoft Edge to take reward of the latest features, security updates, and technical support.
How to read the pocket-size retention dump file that is created past Windows if a crash occurs
This commodity describes how to examine a small memory dump file. A minor memory dump file can help you determine why your computer crashed.
Applies to: Windows 10 - all editions, Windows Server 2012 R2
Original KB number: 315263
Small-scale retention dump files
If your reckoner crashes, how can you find out what happened, prepare the issue and it prevent information technology from happening again? You lot may notice the pocket-size memory dump file useful in this situation. The small memory dump file contains the smallest amount of useful information that could assist you lot identify why your computer crashed. The retention dump file contains the following information:
- The End message, its parameters, and other data
- A list of loaded drivers
- The processor context (PRCB) for the processor that stopped
- The process information and kernel context (EPROCESS) for the process that stopped
- The process information and kernel context (ETHREAD) for the thread that stopped
- The Kernel-mode call stack for the thread that stopped
To create a memory dump file, Windows requires a paging file on the boot volume that is at least 2 megabytes (MB) in size. On computers that are running Microsoft Windows 2000, or a later version of Windows, a new memory dump file is created each time that a computer crash may occur. A history of these files is stored in a folder. If a 2d problem occurs and if Windows creates a second small memory dump file, Windows preserves the previous file. Windows gives each file a distinct, engagement-encoded file name. For example, Mini022900-01.dmp is the beginning retention dump file that was generated on Feb 29, 2000. Windows keeps a list of all the small retentivity dump files in the %SystemRoot%\Minidump folder.
The modest retention dump file tin be useful when difficult disk space is limited. Notwithstanding, considering of the limited information that is included, errors that were non directly caused by the thread that was running at the time of the problem may not be discovered past an analysis of this file.
Configure the dump type
To configure startup and recovery options to use the small retention dump file, follow these steps.
Annotation
Because there are several versions of Microsoft Windows, the following steps may exist dissimilar on your calculator. If they are, see your production documentation to complete these steps.
-
Click Commencement, then click Control Panel.
-
Double-click System, and so click Avant-garde system settings.
-
Click the Advanced tab, and so click Settings under Startup and Recovery.
-
In the Write debugging information list, click Minor retentiveness dump (256k).
To change the binder location for the small retentivity dump files, blazon a new path in the Dump File box or in the Small dump directory box, depending on your version of Windows).
Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file has been created correctly.
Note
The Dump Check Utility does not require access to debugging symbols. Symbol files hold a variety of data which are not actually needed when running the binaries, just which could be very useful in the debugging process.
For more than data about how to use Dump Bank check Utility in Windows NT, Windows 2000, Windows Server 2003 or Windows Server 2008, see Microsoft Noesis Base article 156280: How to Use Dumpchk.exe to check a memory dump file.
For more data about how to utilise Dump Bank check Utility in Windows XP, Windows Vista or Windows seven, run across Microsoft Knowledge Base of operations commodity 315271: How to use Dumpchk.exe to cheque a Retentivity Dump file.
Or, you can utilize the Windows Debugger (WinDbg.exe) tool or the Kernel Debugger (KD.exe) tool to read small retentivity dump files. WinDbg and KD.exe are included with the latest version of the Debugging Tools for Windows package.
To install the debugging tools, see the Download and Install Debugging Tools for Windows webpage. Select the Typical installation. By default, the installer installs the debugging tools in the following folder:
C:\Program Files\Debugging Tools for Windows
This Web page as well provides access to the downloadable symbol packages for Windows. For more information about Windows symbols, see Debugging with Symbols, and the Download Windows Symbol Packages webpage.
For more data about dump file options in Windows, encounter Overview of retentiveness dump file options for Windows.
Open the dump file
To open the dump file afterwards the installation is complete, follow these steps:
-
Click Offset, click Run, type
cmd, and and so click OK. -
Change to the Debugging Tools for Windows folder. To do this, type the following at the control prompt, and then press ENTER:
cd c:\program files\debugging tools for windows -
To load the dump file into a debugger, type one of the following commands, and so press ENTER:
windbg -y SymbolPath -i ImagePath -z DumpFilePathor
kd -y SymbolPath -i ImagePat -z *DumpFilePath
The following table explains the use of the placeholders that are used in these commands.
| Placeholder | Explanation |
|---|---|
| SymbolPath | Either the local path where the symbol files have been downloaded or the symbol server path, including a cache folder. Because a small retention dump file contains limited information, the actual binary files must be loaded together with the symbols for the dump file to be correctly read. |
| ImagePath | The path of these files. The files are contained in the I386 folder on the Windows XP CD-ROM. For example, the path may be C:\Windows\I386. |
| DumpFilePath | The path and file name for the dump file that you are examining. |
Sample commands
Y'all tin can use the following sample commands to open the dump file. These commands assume the following:
- The contents of the I386 folder on the Windows CD-ROM are copied to the
C:\Windows\I386folder. - Your dump file is named
C:\Windows\Minidump\Minidump.dmp.
Sample one:
kd -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i c:\windows\i386 -z c:\windows\minidump\minidump.dmp Sample 2. If you prefer the graphical version of the debugger instead of the command-line version, blazon the following command instead:
windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i c:\windows\i386 -z c:\windows\minidump\minidump.dmp Examine the dump file
In that location are several commands that you can utilize to gather information in the dump file, including the post-obit commands:
- The
!clarify -bear witnesscommand displays the Stop fault code and its parameters. The Stop error code is likewise known equally the bug check lawmaking. - The
!analyze -vcommand displays verbose output. - The
lm North Tcommand lists the specified loaded modules. The output includes the condition and the path of the module.
Annotation
The !drivers extension command displays a list of all drivers that are loaded on the destination calculator, together with summary information about their memory utilize. The !drivers extension is obsolete in Windows XP and later. To display data nigh loaded drivers and other modules, use the lm control. The lm N T control displays information in a format that is similar to the old !drivers extension.
For help with other commands and for complete command syntax, see the debugging tools Help documentation. The debugging tools Assist documentation tin exist found in the following location:
C:\Program Files\Debugging Tools for Windows\Debugger.chm
Notation
If you have symbol-related problems, apply the Symchk utility to verify that the correct symbols are loaded correctly. For more information most how to utilize Symchk, see Debugging with Symbols.
Simplify the commands by using a batch file
Later yous place the command that you must accept to load memory dumps, you can create a batch file to examine a dump file. For example, create a batch file and name it Dump.bat. Save it in the folder where the debugging tools are installed. Type the following text in the batch file:
cd "c:\program files\debugging tools for windows" kd -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i c:\windows\i386 -z %ane When you desire to examine a dump file, blazon the following command to laissez passer the dump file path to the batch file:
dump c:\windows\minidump\minidump.dmp Source: https://docs.microsoft.com/en-us/troubleshoot/windows-client/performance/read-small-memory-dump-file
Post a Comment for "How to Read Kernel Memory Dump Windows 7"