DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 972110 - Last Review: May 31, 2012 - Revision: 5.0

On This Page

INTRODUCTION

This step-by-step article describes how to generate, collect, check, and analyze kernel dump files and complete memory dump files from a Windows Server 2003-based system.

Note Ideally, you should only generate such dump files when a Microsoft Customer Support Services Engineer explicitly asks you to do this. Kernel dump file debugging or complete memory dump file debugging should be the last resort after all the standard troubleshooting methods are exhausted.

If you must contact Microsoft Customer Support and Services (CSS), this article will help you obtain the specific information that is required for CSS to identify the problem.

You must be logged on as an administrator or a member of the Administrators group to complete this procedure. If your computer is connected to a network, network policy settings may prevent you from completing this procedure. A manual kernel dump file or a complete memory dump file is useful when troubleshooting several issues because the process captures a record of system memory at the time of a crash.

Warning Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. When you start the dump file creation procedure, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.

When you restart the computer, the contents of that paging file are written to the dump file. Even in a best case scenario, where the dump file is configured to reside on another local hard disk, lots of data is read and written to the hard disks. This can cause a prolonged server outage. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
254649  (http://support.microsoft.com/kb/254649/ ) Overview of memory dump file options for Windows Vista, Windows Server 2008, Windows Server 2003, Windows XP, and Windows 2000

MORE INFORMATION

Paging file

Typically, for regular functionality of the Windows Server 2003-based system, you set the paging file size on the server. For more information about how to determine the appropriate paging file size, click the following article number to view the article in the Microsoft Knowledge Base:
889654   (http://support.microsoft.com/kb/889654/ ) How to determine the appropriate page file size for 64-bit versions of Windows Server 2003 or Windows XP
Depending on what kind of memory dump file that you are trying to collect, the minimum size of the paging file varies. Windows Server 2003 has three options for memory dump files:
  • Small Memory Dump (64 KB for a 32-bit operating system, 128 KB for a 64-bit operating system)

    Note When you use this option, you may experience the problem that is described in the following Microsoft Knowledge Base article:
    900229  (http://support.microsoft.com/kb/900229/ ) You may receive an error message when you open a "Mini Kernel Dump" file that was generated by a 64-bit version of Windows Server 2003 or Windows XP Professional
  • Kernel Memory Dump
  • Complete Memory Dump
To enable complete memory dump files on the server, follow these steps.

Step 1: Create a paging file

  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the Advanced tab.
  3. Click Settings under the Performance area.
  4. Click the Advanced tab, and then click Change under the Virtual memory area.
  5. Select the system partition where the operating system is installed.
  6. Set the value of Initial size and Maximum size to how much physical RAM is installed plus 1 megabyte (MB) under Custom Size.
  7. Click Set, and then click OK three times.

Partition size

In Windows Server 2003 or earlier versions of Windows, the partition on which the operating system is installed must be at least the size of how much physical RAM is installed plus 1 megabyte (MB). For Windows Server 2003, you may have to reduce the physical memory of the computer to produce a complete memory dump file that is valid. If the computer has more than 4 GB of physical memory or if there is insufficient disk space for the paging file on the partition on which the operating system is installed, you may have to reduce the computers' physical RAM. To reduce the physical memory on the computer, use the maxmem or burnmemory switch in the Boot.ini file as described in the following TechNet or MSDN-based articles:

Boot.ini options reference:
http://technet.microsoft.com/en-us/sysinternals/bb963892.aspx (http://technet.microsoft.com/en-us/sysinternals/bb963892.aspx)
Boot parameters to manipulate memory:
http://msdn.microsoft.com/en-us/library/ms791501.aspx (http://msdn.microsoft.com/en-us/library/ms791501.aspx)
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
833721   (http://support.microsoft.com/kb/833721/ ) Available switch options for the Windows XP and the Windows Server 2003 Boot.ini files
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Note On a 32-bit version of Windows Server 2003 for which the Physical Address Extension (PAE) is enabled, the paging file can extended beyond 4 GB (4,096 MB). To determine whether PAE is enabled, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Manager
  3. Right-click PhysicalAddressExtension, and then click Modify.
  4. In the Edit DWORD Value dialog box, check the value of the PhysicalAddressExtension entry. If the value of the PhysicalAddressExtension entry is zero (0), PAE is disabled. If the value of the PhysicalAddressExtension entry is 1, PAE is enabled.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
237740  (http://support.microsoft.com/kb/237740/ ) How to overcome the 4,095 MB paging file size limit in Windows

Step 2: Create a complete memory dump file

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the Advanced tab.
  3. Click Settings under the Startup and Recovery area, and then select Complete memory dump under Writing debugging information.
  4. Click OK two times.
Note By default, Complete memory dump is disabled. You can enable the option if the computer has more than 2 GB of physical RAM.

Note If you want to enable the Complete memory dump option, manually set the CrashDumpEnabled registry entry under the following registry subkey to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
885117  (http://support.microsoft.com/kb/885117/ ) "Kernel Memory Dump" is displayed in Startup and Recovery, but a complete memory dump is performed in Windows 2000 or in Windows Server 2003

Disk space

There must be sufficient free space in the selected location to write the memory dump file. By default, the memory dump file is written to the %SystemRoot%\Memory.dmp file. If there is insufficient free space on the %SystemRoot% drive, you can redirect the dump file to another location that has sufficient free space.

Step 3: (optional) Change the location where the dump file is written

To change the dump file path in the Startup and Recovery options on a Windows Server 2003-based computer, follow these steps:
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the Advanced tab.
  3. Click Settings under the Startup and Recovery area, and then replace the path with an appropriate value in the Dump file box. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has sufficient disk space, such as E:\Memory.dmp.
Note A network drive, a shared drive, or a network access server (NAS) drive cannot be used as a destination for a memory dump file because it might not be available before the file copy begins.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
886429  (http://support.microsoft.com/kb/886429/ ) What to consider when you configure a new location for memory dump files in Windows Server 2003

Step 4: Install hotfixes to resolve memory dump file problems

Hotfixes for Windows Server 2003 RTM-based computers

The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2003 RTM-based computers:
  • 822998  (http://support.microsoft.com/kb/822998/ ) Memory-dump operation does not complete on computers with more than 6 GB of RAM installed
    Note The hotfix in KB822998 updates the DiskDump.sys file.
  • 839937  (http://support.microsoft.com/kb/839937/ ) The KeBugCheckEx() function causes a system reset on multiprocessor Windows Server 2003-based computers
    Note The hotfix in KB839937 updates the Ntoskrnl.exe file and the Hal.dll file.
  • 838461  (http://support.microsoft.com/kb/838461/ ) An API that attaches header information to the memory image is available for OEM computers that have "capture memory image" capability in Windows Server 2003
    Note The hotfix in KB838461 updates the Ntoskrnl.exe file.

Hotfixes for Windows Server 2003 SP1

The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2003 Service Pack 1-based computers:
  • 898620  (http://support.microsoft.com/kb/898620/ ) A crash dump file is not generated after a fatal system error occurs on a computer that is running Windows Server 2003 Service Pack 1
    Note The hotfix in KB898620 updates the Smss.exe file.
  • 907646  (http://support.microsoft.com/kb/907646/ ) Debugging information may not be written to a memory dump file when a Stop error occurs on a computer that is running an Itanium-based version of Windows Server 2003
    Note The hotfix in KB907646 updates the Ntkrnlmp.exe file and the Hal.dll file.
  • 912364  (http://support.microsoft.com/kb/912364/ ) When a hardware malfunction occurs on a computer that is running an x64 Edition version of Windows, you do not receive a Stop error message, and no memory dump file is generated
    Note The hotfix in KB912364 updates the Hal.dll file.

Hotfixes for Windows Server 2003 SP2

The following hotfixes may resolve problems that occur when you try to create a memory dump file in Windows Server 2003 Service Pack 2-based computers:
  • 957910  (http://support.microsoft.com/kb/957910/ ) A Windows Server 2003 SP2-based iSCSI boot server cannot generate dump files if the server uses a Storport virtual miniport as the LUN controller
    Note The hotfix in KB957910 updates the Diskdump.sys file and the Storport.sys file.
  • 970810  (http://support.microsoft.com/kb/970810/ ) A computer that is running Windows Server 2003 SP2 that supports the IPMI standard stops responding when the computer is writing a memory dump file
    Note The hotfix in KB970810 updates the Ipmidrv.sys file.
  • 971408  (http://support.microsoft.com/kb/971408/ ) The Windows Server 2003 system does not restart as expected when recursive errors occur while writing a dump file
    Note The hotfix in KB971408 updates the NtOSkrnl.exe file.

Methods to generate a manual memory dump file

There are several methods to generate a manual kernel dump file or a complete memory dump file. These methods include using the NMI, keyboard (PS2/USB), remote kernel, or NotMyFault.exe tools.

Step 5: Generate a manual memory dump by using the NotMyFault tool

If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. To do this, follow these steps:
  1. Visit the following Microsoft Web site to download the NotMyFault tool:
    http://download.sysinternals.com/files/NotMyFault.zip (http://download.sysinternals.com/files/NotMyFault.zip)
  2. Click Start, and then click Command Prompt.
  3. At the command line, type NotMyfault.exe /crash, and then press ENTER.
Note This operation generates a memory dump file and a D1 stop error.

Step 6: Generate a manual memory dump by using the keyboard

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
  • If you are using a PS/2 keyboard, you have to create the CrashOnCtrlScroll registry entry. For more information about how to generate a memory dump file by using the keyboard, click the following article number to view the article in the Microsoft Knowledge Base:
    244139  (http://support.microsoft.com/kb/244139/ ) Windows feature lets you generate a memory dump file by using the keyboard
    To enable the feature on a computer that uses a PS/2 keyboard, follow these steps:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
    3. On the Edit menu, click Add Value, and then add the following registry entry:
      Name : CrashOnCtrlScroll 
      Data Type : REG_DWORD 
      Value : 1  
    4. Exit Registry Editor.
  • If you are using a USB keyboard, you have to create the CrashOnCtrlScroll registry entry.

    To enable the feature on a computer that uses a USB keyboard, follow these steps:
    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters
    3. On the Edit menu, click Add Value, and then add the following registry entry:
      Name : CrashOnCtrlScroll 
      Data Type : REG_DWORD 
      Value : 1  
    4. Exit Registry Editor.
Note This keyboard operation generates a memory dump file and an E2 stop error.

Step 7: Generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
927069   (http://support.microsoft.com/kb/927069/ ) How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
If you try to collect an NMI dump file, you have to create the NMICrashDump registry entry. To enable this feature, follow these steps:
  1. Start Registry Editor.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
  3. On the Edit menu, click Add Value, and then add the following registry entry:
    Name : NMICrashDump 
    Data Type : REG_DWORD 
    Value : 1  
  4. Exit Registry Editor.
Note This operation generates a memory dump file and an 80 stop error. This registry entry is only needed on x86 and x64 systems. Itanium-Based Systems can generate a memory dump without this registry entry.

Step 8: Generate a manual memory dump by using a remote debugger

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
303021  (http://support.microsoft.com/kb/303021/ ) How to generate a memory dump file when a server stops responding (hangs)
Note In WinDbg, you can use the .crash command. This command creates the memory dump file on the destination computer. Or, if you want to copy the memory dump file by using a null modem, a USB device, or an IEEE 1394 device, use the .dump command.

Step 9: Restart the server

You must restart the server for the settings to take effect.

BIOS-level server hardware recovery mechanism

Some computers have a feature at the BIOS level to do hardware recovery. For example, a computer may have one of the following features:
  • An Automatic System Recovery (ASR) feature is available on some Hewlett Packard (HP) servers. If ASR exists, disable it. ASR can interrupt the dump process. On an HP server, you can modify the BIOS settings to disable ASR. If this feature is enabled and if the BIOS does not detect a heartbeat from the operating system, it typically restarts the computer within 10 minutes.
  • Dell computers have the same feature, and it is called Dell Special Administration Console (SAC) or !SAC.
  • IBM computers have the same feature, and it is called RSA II (OS) watchdogs.
  • Fujitsu, NEC, Samsung, Unisys, and other server hardware manufacturers may have a similar feature in their servers.
Note If you are uncertain whether your hardware has a hardware recovery feature, contact the hardware manufacturer.

Step 10: Test whether you can obtain a manual memory dump file

Warning It is critical that you test whether you can obtain a manual memory dump file. If a dump file is corrupted or truncated, the problem must occur again for you to obtain a good memory dump file.

To test whether you can obtain a good dump file on a computer, use NotMyFault, or press the RIGHT CTRL key while you press the SCROLL LOCK key two times. After the server restarts, wait for disk activity to stop. The dump file should be the same size as physical memory. If you have problems obtaining a manual memory dump file, you may have to update the SCSI controller firmware and driver from the hardware vendor.

Step 11: Obtain the stop error message that appears on a blue screen after a memory dump file is generated

You can configure Windows Server 2003 to write an event log message that has the stop error message that appears on a blue screen. By default, Windows Server 2003 is set to write event log messages.

Note
  1. Right-click My Computer, and then click Properties.
  2. Click the Advanced tab.
  3. Click Settings under the Startup and Recovery area,
Notice that, by default, the Write an event to the system log option is unavailable. The description and format of the event log differs from the format that is displayed when the computer is writing the Memory.dmp file. But most of the information is the same. Here is an example of the event log:
Event ID: 1001 
Source: BugCheck 
Description: 
The computer has rebooted from a bugcheck. The bugcheck was : 0xc00000E2 (0xffffffffffffffff, 0x0000000000000001, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. 

How to use DumpChk.exe to check a memory dump file

For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
156280  (http://support.microsoft.com/kb/156280/ ) How to use Dumpchk.exe to check a memory dump file

Step 12: Delete the test dump file

Delete the test dump file because a new memory dump file is generated when this problem next occurs.

Step 13: Wait for the problem to reoccur

When the issue occurs, you can collect the memory dump file by using the following tools or methods:
  • Use the NotMyFault tool.
  • Press the RIGHT CTRL key and then press the SCROLL LOCK key two times.
  • Use the NMI button.
  • Use the remote kernel debugger.

Step 14: Compress the Memory.dmp file

Use the WinZip tool to compress the Memory.dmp file.

Step 15: Upload the compressed file to the secure file transfer site

After you compress the file, upload the file to the secure file transfer site.

How to obtain a utility to automate the registry keys and paging files

  1. Visit the following Microsoft Web site to download DumpConfigurator.hta:
    http://www.codeplex.com/WinPlatTools/SourceControl/changeset/view/14600#256939 (http://www.codeplex.com/WinPlatTools/SourceControl/changeset/view/14600#256939)
  2. Click Download, and then click I Agree after you read the Microsoft Software License Terms.
  3. Save the WInPlatTools-14600.zip file, and then extract the DumpConfigurator.hta utility.
  4. Click DumpConfigurator.hta, and then click Auto Config Complete.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
307973  (http://support.microsoft.com/kb/307973/ ) How to configure system failure and recovery options in Windows

How to read the memory dump files that Windows creates for debugging

To download and install the latest version of the Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx (http://www.microsoft.com/whdc/devtools/debugging/default.mspx)
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
315263  (http://support.microsoft.com/kb/315263/ ) How to read the small memory dump files that Windows creates for debugging
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824344  (http://support.microsoft.com/kb/824344/ ) How to debug Windows services
For more information about debugging in Windows, see the following books:

How to verify Windows debug symbols

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
311503  (http://support.microsoft.com/kb/311503/ ) Use the Microsoft Symbol Server to obtain debug symbol files
138258  (http://support.microsoft.com/kb/138258/ ) Windows NT debug symbol setup information
148659  (http://support.microsoft.com/kb/148659/ ) How to set up Windows NT debug symbols
148660  (http://support.microsoft.com/kb/148660/ ) How to verify Windows debug symbols
258205  (http://support.microsoft.com/kb/258205/ ) How to use Rebase to extract symbols for DrWtSn32.exe
296110  (http://support.microsoft.com/kb/296110/ ) How to install the debug symbols for use with Visual Studio products
319037  (http://support.microsoft.com/kb/319037/ ) How to use a symbol server with the Visual Studio .NET debugger
814411  (http://support.microsoft.com/kb/814411/ ) Hotfix packages do not include debug symbol files
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

REFERENCES

For more information about this topic, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/cc266483.aspx (http://msdn.microsoft.com/en-us/library/cc266483.aspx)

APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbhowto kbexpertiseinter kbsurveynew kbinfo KB972110
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support