7004093: How to get a Windows memory dump

If the “Complete memory dump” option is not available:

If the “Complete memory dump” option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn’t possible. e.g. The amount of physical RAM is more than 2GB, or the page file size isn’t set to the size of physical memory or greater.

The “How to generate a kernel or a complete memory dump file in Windows Server 2008” KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what’s new and different regarding obtaining a crash dump on Vista/2008, and also covers the “how to manually force a dump” topic too. Although the document describes the possibility of enabling the “Complete” memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the “truncatememory or removememory switches in the BCDEdit.exe” approach described in the document.

i.e. From an elevated command prompt (i.e. “Run as administrator”), execute this command:

BCDEDIT.EXE /set {current} truncatememory 0x80000000

to have Windows ignore all the memory above 2GB after the next reboot. Now (after reboot) the “Complete” memory dump option should become available, and the Complete dump generated won’t be larger than 2GB.

To return the machine to its original memory configuration, execute this command:

BCDEDIT.EXE /deletevalue {current} truncatememory

Windows 7 Specific

When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:

If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it. (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)

If there are more than 25GB, or the machine is joined to a domain (read “corporate environment”), or you’re actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.

The Windows 7 default policy can be explicitly overridden by setting the following registry value:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl]

“AlwaysKeepMemoryDump”=dword:00000001


Formerly known as TID# 10084257

Related:

Leave a Reply