Memory Dump and Analysis

1
Memory Dump and Analysis

• Amol Bhosale
• Enterprise Technical Support
• Symantec Corporation

2
AGENDA

• What is a Memory Dump ?
• Purpose of gathering a Memory Dump
• Types of Memory Dumps
• System requirements to create a Memory Dump
• Different methods to enable creation of a Memory
  Dump
• Tools and methods used to manually force a system
  crash
• Memory Dump analysis using DebugWiz tool

2
3
What is a Memory Dump ?
4

• In computing, a Memory Dump consists of the
  recorded state or a snapshot of the working
  memory of a computer program at a specific time,
  generally when the program has terminated
  abnormally (or crashed).

5
Purpose of gathering a Memory Dump
6

• Memory Dumps are often used to diagnose or debug
  errors in computer programs.
• The most common issues encountered on a Windows
  Operating System based systems due to program
  errors or driver incompatibility are,
• Blue Screen of Death (BSOD)
• System freeze or deadlock
• Performance issues

7
Types of Memory Dumps
8

• We can configure the following Windows operating
  systems to write debugging information
• Windows Vista
• Windows Server 2008
• Windows Server 2003
• Windows XP
• Windows 2000

9

• Windows can generate any one of the following
  memory dump file types
• Complete memory dump
• Kernel memory dump
• Small memory dump (64 KB)

10
Complete Memory Dump

• A complete memory dump records all the contents
  of system memory when the computer stops
  unexpectedly. A complete memory dump may contain
  data from processes that were running when the
  memory dump was collected. If we select the
  Complete memory dump option, we must have a
  paging file on the boot volume that is sufficient
  to hold all the physical RAM plus 1 megabyte
  (MB).

11

• If a second problem occurs and another complete
  memory dump (or kernel memory dump) file is
  created, the previous file is overwritten.

12
Kernel memory dump

• A kernel memory dump records only the kernel
  memory. This speeds up the process of recording
  information in a log when the computer stops
  unexpectedly. Depending on the RAM in the
  computer, we must have between 150MB and up to
  2GB of pagefile space available based on server
  load and the amount of physical RAM available for
  page file space on the boot volume.

13

• This dump file does not include unallocated
  memory or any memory that is allocated to
  User-mode programs. It includes only memory that
  is allocated to Kernel-mode drivers and other
  Kernel-mode programs.
• For most purposes, this dump file is the most
  useful. It is significantly smaller than the
  complete memory dump file, but it omits only
  those parts of memory that are unlikely to have
  been involved in the problem.

14
Small memory dump

• A small memory dump records the smallest set of
  useful information that may help identify why the
  computer stopped unexpectedly. This option
  requires a paging file of at least 2 MB on the
  boot volume and specifies that Windows 2000 and
  later create a new file every time your computer
  stops unexpectedly. A history of these files is
  stored in a folder.

15

• This dump file type includes the following
  information
• The Stop message and its parameters and other
  data
• A list of loaded drivers
• The processor context for the processor that
  stopped
• The process information and kernel context for
  the process that stopped
• The process information and kernel context for
  the thread that stopped

16

• Small dump file can be useful when space is
  limited. However, because of the limited
  information included, errors that were not
  directly caused by the thread that was running at
  the time of the problem may not be discovered
  during the analysis of this file.If a second
  problem occurs and a second small memory dump
  file is created, the previous file is preserved.
  Each additional file is given a distinct name.
  The date is encoded in the file name. For
  example, Mini022900-01.dmp is the first memory
  dump generated on February 29, 2000. A list of
  all small memory dump files is kept in the
  System Root \ Minidump folder.

17
System requirements to create a Memory Dump
18

• You must be logged on as an administrator or a
  member of the Administrators group
• If the computer is connected to a network,
  network policy settings may interfere or prevent
  from creating the memory dumps.
• There must be sufficient free space in the
  selected location to write the memory dump file.
  By default, the memory dump file is written to
  the System Root \ Memory.dmp file. If there is
  insufficient free space on the System Root
  drive, one can redirect the dump file to another
  location that has sufficient free space.

19

• In Windows Server 2003 or earlier versions of
  Windows, the partition on which the operating
  system is installed must be at least the size of
  how much physical RAM is installed plus 1
  megabyte (MB)
• For Windows Server 2008, if the computer has more
  than 4 GB of physical memory or if there is not
  enough disk space for the paging file on the
  partition on which the operating system is
  installed, we may have to use another partition
  for the dump file.
• The paging file size needs to be set depending on
  the kind of Memory Dump file being created.

20
Different methods to enable creation of a Memory
Dump
21
How to enable creation of a Small, kernel dump
file or a complete memory dump file in Windows
XP, Windows 2000 or Windows Server 2003
22
Creating a paging file

• Click Start, right-click My Computer, and then
  click Properties.
• Click the Advanced tab.
• Click Settings under the Performance area.
• Click the Advanced tab, and then click Change
  under the Virtual memory area.
• Select the system partition where the operating
  system is installed.
• Set the value of Initial size and Maximum size to
  how much physical RAM is installed plus 1
  megabyte (MB) under Custom Size.
• Click Set, and then click OK three times.

23
Enable creation of a memory dump file

• Click Start, right-click My Computer, and then
  click Properties.
• Click the Advanced tab.
• Click Settings under the Startup and Recovery
  area, and then select Small, Kernel or Complete
  memory dump under Writing debugging information.
• Click OK two times.

24
Registry method to enable Complete memory dump

• The Complete memory dump option, can also be
  enabled by manually setting the CrashDumpEnabled
  registry entry under the following registry
  subkey to 1
• HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\
  Control\Crash Control
• Note It is strongly recommended to back up the
  registry before making the above changes.

25
How to enable creation of a Small, kernel dump
file or a complete memory dump file in Windows
Server 2008
26
Creating a paging file

• Click Start, right-click Computer, and then click
  Properties.
• Click Advanced system settings on the System
  page, and then click the Advanced tab.
• Click Settings under the Performance area.
• Click the Advanced tab, and then click Change
  under the Virtual memory area.
• Select the system partition where the operating
  system is installed. Note To enable the
  system partition, you have to click to clear the
  Automatically manage paging file size for all
  drives check box.
• Set the value of Initial size and Maximum size to
  the amount of physical RAM that is installed plus
  1 megabyte (MB) under the Custom Size button.
• Click Set, and then click OK three times.

27
Enable creation of a memory dump file

• Click Start, right-click Computer, and then click
  Properties.
• Click Advanced system settings on the System
  page, and then click the Advanced tab.
• Click Settings under the Writing debugging
  information area, and then make sure Complete
  memory dump is selected

28
Tools and methods used to manually force a
system crash
29

• There are several methods to generate a manual
  kernel dump file or a complete memory dump file.
• These methods include using the keyboard
  shortcuts (PS2/USB), NotMyFault.exe tools or the
  OSR Bang tool.

30
Generate a manual memory dump by using the
keyboard

• To enable the feature on a computer that uses a
  PS/2 keyboard, follow these steps
• Start Registry Editor.
• Locate the following registry subkey
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
  es\i8042prt\Parameters
• On the Edit menu, click Add Value, and then add
  the following registry entry Name
  CrashOnCtrlScrollData Type REG_DWORDValue 1
• Exit Registry Editor, and then restart the
  computer.

31

• To enable the feature on a computer that uses a
  USB keyboard follow these steps
• 1. Start Registry Editor.
• 2.Locate the following registry subkey
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
  es\kbdhid\Parameters
• 3.Make sure that the following registry entry is
  enabledName CrashOnCtrlScrollData Type
  REG_DWORDValue 1
• 4.Exit Registry Editor.

32

• After the keyboard shortcut feature is enabled,
  we can generate a memory dump file by holding
  down the right CTRL key and pressing the SCROLL
  LOCK key two times.
• Note The USB keyboard feature can only be used
  in Windows Server 2008 if Service Pack 2 or later
  is installed.

33
Memory Dump analysis using the DebugWiz tool
34
Manual system crash using the OSR Bang tool
35
(No Transcript)
36
(No Transcript)
37
Memory Dump analysis using the DebugWiz tool

• Download the DebugWiz tool from
  http//www.windowsbbs.com
• Download and install 32-bit or 64-bit debugging
  tools from Microsoft website by clicking on the
  Click to download tools button after running
  the DebugWiz tool.
• Put a check mark next to the Advanced option
• Click on the Browse button and browse to
  C\Program Files\Debugging tools for
  windows(x86)\cdb.exe
• The program will auto-populate the location for
  saving the debug log and path to the symbols.
• The Debug log is saved to the root of the C drive
  by default.
• Click on the Generate log button and a log will
  be created.

38
Screenshot of the DebugWiz tool
39
(No Transcript)
40
Screenshot from a debug log
41
Q A
42
Thank you