Kernel-Mode Memory Dump File

The Windows operating systems can generate a kernel-mode memory dump file when a Stop error (also known as a "blue screen", system crash, or bug check). There are three kinds of kernel-mode memory dump files.

  • Complete Memory Dump
  • Kernel Memory Dump
  • Small Memory Dump

The difference between these dump files is one of size. The Complete Memory Dump is the largest and contains the most information, the Kernel Memory Dump is somewhat smaller, and the Small Memory Dump is only 64 KB in size. For more details, see Reference [1].

Notes:
1. The Complete Memory Dump option is not available on computers that are running a 32-bit operating system and that have 2 GB or more of RAM.
2. A paging file is required on the boot volume. For Small Memory Dump, the paging file shall be at least 20 MB. For Kernel Memory Dump, the paging file shall be no smaller than 1.5 times the RAM size if the RAM size is not greater than 1,373 MB, or no smaller than 2,060 MB if the RAM size is greater than 1,373 MB. For Complete Memory Dump, the paging file shall be large enough to hold all of the physical RAM plus 1 MB.

Configure the Dump Type

During a system crash, the Windows dump settings determine whether a dump file will be created, and if so, what size the dump file will be. To configure the dump type, follow these steps.

Step 1. Click Start, and then click Control Panel.
Step 2. Click Performance and Maintenance, and then click System.
Step 3. On the Advanced tab, click Settings under Startup and Recovery.

configure memory dump type 2

Force a Memory Dump

A system crash can be caused directly from the keyboard, thus resulting in a memory dump.

PS/2 keyboards connected on i8042prt ports
This feature is available in Windows 2000 and later versions of Windows operating system.
USB keyboards
This feature is available in Windows 2003 and later versions of Windows operating system.

To enable this feature, follow these steps.

Step 1. Configure the memory dump type, choose the path and file name. See Configure the Dump Type
Step 2. In the registry key
(For PS/2 keyboards) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, or
(For USB keyboards) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters,
create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.
Step 3. Restart the computer for these settings to take effect.

Now the keyboard crash can be initiated by using the following hotkey sequence:
Hold down the rightmost CTRL key, and press the SCROLL LOCK key twice.

Notes
1. It is possible for a system to freeze in such a way that the keyboard shortcut sequence will not work. However, this should be a very rare occurrence. Using the keyboard shortcut sequence to initiate a crash will work even in many instances where CTRL+ALT+DELETE does not work.
2. Forcing a system crash from the keyboard does not work if the computer stops responding at a high interrupt request level (IRQL). This limitation exists because the Kbdhid.sys driver, which allows the memory dump process to run, operates at a lower IRQL than the i8042prt.sys driver.

For developers, another way to force a memory dump is to use debug tools like KD or WinDbg by .crash or .dump command.

Reference

[1] http://support.microsoft.com/kb/254649
[2] http://support.microsoft.com/kb/244139

Knowledge Base
Contact Us

E-mail To: