preface

We are in kernel dump, open scratch! A key system setup is described in this article. This allows the system to save the dump automatically on a Blue Screen of Death (BSOD). That article was just a brief introduction to the setup steps, and this article tries to cover them in detail.

Let’s review the setup steps with the following GIF:

Have you ever wondered where these Settings are stored? I guess it’s in the registry. Let’s take a look.

Save the location

To find out where these Settings are saved, I purposely captured the entire setup process with Process Monitor and recorded a video.

According to the results of the investigation, the dump type is stored in the registry as follows: HKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled. The corresponding values of each item are shown in the following table:

Chinese name The English name value
(not) (None) 0
Small memory dump (256KB) Small memory dump 3
Core memory dump Kernel memory dump 2
Full memory dump Complete memory dump 1
Automatic memory dump Automatic memory dump 7
Active memory dump Active memory dump 1

We can see that the CrashDumpEnabled set for full and active memory dumps has the same value of 1. There must be other things that are different. Path begins with HKLM\System\CurrentControlSet\Control\CrashControl,

The comparison results are as follows.

After comparison, the registry key HKLM\System\CurrentControlSet\Control\CrashControl\FilterPages is set to 1 when set to active memory dump, and the registry key HKLM\System\CurrentControlSet\Control\ FilterPages is set to 1 when set to full memory dump. The FilterPages child is deleted.

Note: Windows 7 and earlier systems do not have automatic memory dump and active memory dump options. Automatic memory dump was introduced in Windows 8. Active memory dumps were introduced from Win10 onwards.

Other related Settings

In addition to specifying the dump type, we can set other Settings.

  • Dump file: Specifies the location to save the dump file.

    For small memory dumps, specify the directory where the dump file is stored. The default is %SystemRoot%\Minidump\. For other dump types, the path to save the dump file is specified. The default path is %SystemRoot%\ memory.dmp.

  • Automatic Restart (R) option: If this option is selected, the system automatically restarts after the blue screen.

  • Write events to the system log (W) Option: If this option is selected, blue screen events can be recorded in the system log.

  • Overwrite any existing files (O) Option: If selected, overwrite existing files with the same name, otherwise not. (If there is already a file with the same name, this blue screen dump file will not be generated.) This option does not take effect for small memory dumps.

  • Disable Automatic deletion of memory dumps when the disk space is insufficient (A) Option: If this option is selected, previously saved dump files will not be deleted even when the disk space is insufficient. This option does not exist in Windows 7 and was introduced in later versions of the operating system.

Refer to the following code for the location of each entry in the registry. Save it as a.reg file and double-click to import it.

 


Windows Registry Editor Version 5.00; Writes the event to the system log. 1 indicates write, 0 indicates no write. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"LogEvent"= dword:00000000 ; Whether to restart automatically. 1 indicates automatic restart, 0 indicates no automatic restart. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"AutoReboot"= dword:00000000 ; Dump type. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"CrashDumpEnabled"= dword:00000001 ; Path for saving dumped files. A UNICODE path in binary form. The default value is %SystemRoot%\ memory. DMP [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"DumpFile"= hex(2) :25, 00, 53, 00, 79, 00, 73, 00, 74, 00, 65, 00, 6d, 00, 52, 00, 6f, 00, 6f, 00, \ 74, 00, 25, 00, 5c, 00, 4d, 00, 45, 00, 4d, 00, 4f, 00, 52, 00, 59, 00, 2e, 00, 44, 00, 4d, 00, 50, \ 00, 00, 00 ; Path for saving small memory dump files. A UNICODE path in binary form. The default value is %SystemRoot%\ memory. DMP [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"MinidumpDir"= hex(2) :25, 00, 53, 00, 79, 00, 73, 00, 74, 00, 65, 00, 6d, 00, 52, 00, 6f, 00, 6f, \ 00, 74, 00, 25, 00, 5c, 00, 4d, 00, 69, 00, 6e, 00, 69, 00, 64, 00, 75, 00, 6d, 00, 70, 00, 00, 00 ; Maximum number of small memory dump files. If the number of dumped files exceeds this value, the oldest one is deleted. ; No corresponding Settings are displayed on the interface. You can only modify the Settings in the registry. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"MinidumpsCount"= dword:00000005 ; Overwrite any existing files. 1 indicates overwrite, 0 indicates no overwrite. Small memory dump does not take effect. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"Overwrite"= dword:00000001 ; Do not automatically delete the memory dump when the disk space is insufficient. 1 indicates no deletion, 0 indicates deletion [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]"AlwaysKeepMemoryDump" = dword:00000000Copy the code

This section describes the dump types

The introduction to these dump types is mainly translated from the Official Microsoft documentation, but not entirely. English good small partner please refer to Microsoft official documentation.

  • Full memory dump

    Contains all the physical memory used by the operating system. The physical memory occupied by platform firmware is not included by default. To ensure that the dump can be generated smoothly, make sure that the page file size on the boot disk is at least the physical memory size + 1 MB (some header information is required to write the dump). Assuming that physical memory is 4GB, we need to ensure that the initial size is at least 4097MB. It’s ok to set it to a larger value. We can set it as follows:

  • Active memory dump

    An active memory dump is similar to a full memory dump, but filters out pages that are unlikely to be related to troubleshooting. Because of this filtering, the resulting dump is typically much smaller than a full memory dump.

    This type of dump contains any memory allocated to user-mode applications. It also includes memory allocated to the Windows Kernel and Hardware Abstraction Layer (HAL), as well as memory allocated to kernel-mode drivers and other kernel-mode programs. Dump files include active pages mapped to kernel or user space that are useful for debugging, as well as selected conversion, standby, and modification pages backed up by paging files, such as memory regions using VirtualAlloc or backed up by paging files. Active memory dumps do not include free lists, zero lists, file caches, guest virtual machine pages, and various other types of memory that are unlikely to be useful for debugging.

    Active memory dumps are especially useful when virtual machines are hosted on the target system. A full memory dump contains all the memory occupied by the virtual machine, while an active memory dump does not.

Active memory dumps are available on Windows 10 and later.

  • Core memory dump

    Contains the physical memory used by the kernel in the event of a system crash.

    This dump file is much smaller than a full memory dump.

    The core memory dump does not include unallocated memory, or any memory allocated to user-mode applications. It includes only memory allocated to the Windows Kernel and Hardware Abstraction Layer (HAL), and memory allocated to kernel-mode drivers and other kernel-mode programs.

    In most cases, this type of crash dump is the most useful. It is much smaller than a full memory dump, but it ignores only those parts of memory that are unlikely to involve a crash.

    Because this dump does not contain images of any user-mode executables that reside in memory at the time of the crash, you may also need to set executable image paths if these executables are important.

  • Automatic memory dump An automatic memory dump contains the same information as a kernel memory dump. The difference is not in the dump itself, but in the way Windows sets the system paging file size.

    If the system paging file size is set to the system managed size (Y) and the dump type is set to automatic memory dump, Windows can set the paging file size to be smaller than the physical memory. In this case, Windows sets the paging file size large enough to ensure that the kernel memory dump can be captured in most cases.

    If the system crashes and the paging file is not large enough to hold a kernel memory dump, Windows increases the paging file size to at least the size of physical memory. The time when this event (an event that increases the paging file size) occurs is recorded in the registry key

    Registry key HKLM \ SYSTEM \ CurrentControlSet \ Control \ CrashControl \ LastCrashTime.

    The increased paging file size will remain for 4 weeks and then revert to the previous smaller value. If you want to revert to the previous smaller value four weeks ago, you can delete this registry key.

Automatic memory dump is available on Windows 8 and later.

  • Small memory dump (256KB)

    The small memory dump contains the following contents:

    • Error check information and parameters, and other blue screen data.

    • Broken processor context (PRCB).

    • The process information and kernel context (EPROCESS) of the crashed process.

    • Thread information and kernel context (ETHREAD) for the crashed thread.

    • Crashed the thread’s kernel-mode call stack. If it is larger than 16 KB, only the first 16 KB is included.

    • List of loaded drivers.

    In Windows XP and later versions of Windows, the following is also included:

    • A list of loaded and unloaded modules.

    • Debugger data block. It contains basic debugging information about the system.

    • Windows identifies any additional memory pages that are useful for debugging failures. This includes the pages of memory that registers point to at the time of the crash, as well as other pages specifically requested by the failing component.

    • (Windows Server 2003 and later) The Windows SKU — for example, “Professional” or “Server”.

      About Windows SKU can refer to the link www.thewindowsclub.com/windows-7-v…

conclusion

  • Small memory dump (256KB)By default, it is saved to%SystemRoot%\MinidumpDump files of other types are saved to the%SystemRoot%\Memory.dmp.
  • The dump file generated by different dump types contains different information. You can select the dump file based on your requirements. The size of the dumped files is sorted as follows:Full memory dump > Active memory dump > Core memory dump = Automatic memory dump > Small memory dump.
  • The registry entries include whether the system automatically restarts after the blue screen of death, whether to save dumped files, whether to overwrite existing files, and whether to save the type and location of dumped filesHKLM\System\CurrentControlSet\Control\CrashControl\Below, you can modify the code in this article as needed and save it as.regFile, double-click to import the system. Notice The effect takes effect after a restart.
  • If you run into it while debuggingmissing pageError, can be used.ignore_missing_pagesCommand.
  • inprocess monitorWith the help of, without looking at any help documents, the corresponding value and save location of each type of dump file is investigated clearly!process monitorWhat a weapon for investigating such questions! You deserve it!

The resources

  • Channel9.msdn.com/Shows/Defra…
  • Docs.microsoft.com/en-us/windo…
  • Docs.microsoft.com/en-us/windo…
  • Docs.microsoft.com/en-us/windo…
  • Docs.microsoft.com/en-us/windo…
  • Docs.microsoft.com/en-us/windo…
  • Docs.microsoft.com/en-us/windo…