How to Create a Full Memory Dump

Article:HOWTO31321  |  Created: 2010-09-14  |  Updated: 2013-12-18  |  Article URL http://www.symantec.com/docs/HOWTO31321
Article Type
How To



Question/Issue:

Many times Symantec Development will need a Full Memory Dump from an affected system to identify the cause of the crash.
The following directions will ensure that a full memory dump is generated vs. a mini-dump.
 
Details
 
Before proceeding any further, be sure to read the following Microsoft document: http://support.microsoft.com/kb/254649
The above document is an overview of the memory dump process per Microsoft and is considered "Best Guidance" for this task.
 
First, check the page file settings and adjust as necessary:
 
1. Open the Control Panel and double-click on System (alternate method: right-click on My Computer)
2. Select the Advanced tab
3. Under "Performance" click on the Settings button
4. Select the Advanced tab
5. Click on the "Change" button
6. Check that the page file on the boot drive is large enough to store the entire contents of memory plus one megabyte.  For example if the system has 1 gigabyte of memory (1024 megabytes) the "Initial size" field should be at least 1025 (This is actually memory size plus 1 meg.)
7. Adjust the page file size if necessary
8. Click the Set button
9. Click OK
10. Dismiss any "reboot required" dialog boxes -- reboot later
11. Click OK
12. Leave the System Properties window open and proceed to the next section
 
Next, enable complete memory dumps:
 Memory dumps represent the entire contents of all system memory writhen to disk.  The standard rule of thumb for ensuring there is enough free disk space to capture a full memory dump is:
Free Disk Space = All of Physical Memory + 1 MB.  If the system cannot provide enough free disk space, another disk option is to attach a NTFS formatted USB drive that has enough free disk space.

Steps to enable complete memory dumps:
1. Under "Startup and Recovery" click the Settings button
2. Under "Write debugging information" select "Complete memory dump" from the drop down list box.
3. Check the box "Overwrite any existing file"
4. Click OK
5. A message about pagefile requirements may be displayed -- if so, click Yes
6. Click OK
 
Note: If the “Complete memory dump” option is missing from the drop down menu, it can be enabled through the registry instead.  See the “New behavior in Windows 7 and Windows Server 2008 R2” section of the following document for more information:  http://support.microsoft.com/kb/969028
 
 
Next, enable pool tagging to enhance the dump:
1. Run the Gflags.exe utility.  NOTE: Gflags is installed by default on newer Microsoft operating systems, Windows XP and above.
        If Gflags.exe is not on the system, look in the SupportTools directory of the operating system media.
        See the following Microsoft document:  http://msdn.microsoft.com/en-us/library/ff549557.aspx
2. Check the box "Enable pool tagging"
3. Click OK
4. Reboot the system when prompted, or reboot manually later -- but a reboot must be accomplished for the above changes to take effect.
 
After the crash:
When the blue screen occurs, it will write the contents of system memory to the page file.  NOTE: Document the Stop Code displayed on screen.
On reboot, a process called "savedump.exe" will copy the contents from the page file to the MEMORY.DMP file on disk.  Do not interrupt the savedump.exe process while it is running, otherwise the MEMORY.DMP file will be truncated and possibly corrupted.  To confirm that the memory dump process is finished, watch the process in Task Manager until it is completed, to ensure the memory dump is completely written.
 
The resulting MEMORY.DMP file can be quite large.  However most of the contents are zeroed memory, so it should compress (With WinRAR for example.) to a much smaller size.  
A one gigabyte memory dump will usually compress down to 100-300 megabytes, which will allow for much easier transfer across the network.
 
Keep in mind that many zip compression routines have been known to corrupt the original file if it is over 2GB in size. 
For original files over 2GB in size, Symantec recommends one of the following options:
a. RAR the original file.
b. Copy the original file to a removable, NTFS formatted USB drive and ship it to Symantec.  Symantec's policy is to return the media once the data analysis is finished.
 
Comment on non full memory dumps:
The more complex the issue, the more detail that will be required to effectively analyze and determine root cause.  While kernel dumps, or other types of memory dumps, may contain the minimum data required, the possibility of requiring additional data to effectively determine root cause, must be considered.
 
Depending on the primary function of the system (DNS Server, Exchanges Server, Firewall, etc.) that is experiencing the issue and generates the dump, scheduling maintenance time for additional data can be problematic.  This possibility should be considered and discussed before deciding on what type of dump is to be generated.
 
In general, a mini-dump (Microsoft default.) or a ADPlus dump are not informative enough for effective root cause analysis.
 
Technical Information   
A. How to generate a kernel or a complete memory dump file in Windows Server 2008
 
B. Collecting a complete memory dump on a Windows 2000, XP or 2003 systems that have over 2GB of RAM can be difficult.  It is possible to work around this issue by limiting the amount of memory visible to Windows.
 
Two methods can be used to decrease the amount of visible memory to 2GB or less.
1. The first option is to use the /maxmem switch, which is detailed by Microsoft at the following link:
2. The second option, and the one recommended for Windows XP or 2003, is the /burnmemory switch.  This is detailed by Microsoft at the following link:
 
More detail on how to accomplish a full dump on these OS's can be found here:

C. Many times the memory dump will need to be Administrator initiated if the issue under investigation does not cause the system to crash.
There are two commonly accepted methodologies for causing a system to generate a memory dump: 
1. BANG! -- Crash on Demand Utility (See attachment, Band_v21.zip)
V2.1 Supports X64, IA64 and VISTA and the Drivers are signed. In the Zip file WNET is included. This is the srv2003 image distribution.
Usage: bang [-s] : where -s indicates to automatically crash the system
http://www.osronline.com/article.cfm?article=153

You will have to join OSR Online as a user, but it is free to join and then free to download the utility.

2. Keyboard initiated dump:
Windows feature lets you generate a memory dump file by using the keyboard -
http://support.microsoft.com/kb/244139
http://msdn.microsoft.com/en-us/library/ff545499.aspx



Legacy ID



2004101505155748


Article URL http://www.symantec.com/docs/HOWTO31321


Terms of use for this information are found in Legal Notices