Most of the time people know, on crash windows operating system creates memory dump. The knowledge ,How its being completed ? is missing. We have seen the below image most of the time. did you ever try to see what it is dumping or where it is dumping ?

Dumping the Physical Memory

Dumping the Physical Memory

Here I am trying to understand the process of memory.dmp file creation.

STEP 1 :
When we configure our system for Dump :-

  1. System makes a copy of disk miniport driver name with “dump_”.[used to write to the boot volume in memory]
  2. System checks the component such as copied disk miniport driver , I/O manager functions boot volume’s page file on the disk which are involved with the writing of dump file.
  3. System create and saves a checksums of all component involved from previous step.

STEP 2 :
When the KeBugCheck function executed in short when machine Bugchecks , it checksums the components again and compare to the one created at boot time.

STEP 3 :

Condition, If checksums

  1. Don’t Match : No dump file is written (because of the risk of corrupting the disk).
  2. Matches : The dump information is written directly to the sectors on disk occupied by the page file.

Performing the task while writing the dump information the File System Driver is completely by passed as there are chance of getting corrupted due to crash or may be the cause of crash.

Paging is already enable at the boot time by SMSS.EXE ,system checks if there is a crash dump already present on the Boot volume.

If pagefile exists, then this part of the page file is protected. Which makes all (or part) of the boot volume’s page file unusable during the early part of the boot process.
This may result in notifications that the system is low on virtual memory which is a temporary condition.

Later in the boot process, WINLOGON.EXE calls the SAVEDUMP.EXE process to extract the dump from the page file and copy it to the final location that is specified in the Dump File field.

Reference Article : KB886429

  1. With a little bit of difference in Windows Server 2003 with reference to the above mentioned article.
  2. Server reboot after the bugcheck.
  3. Windows needs a temporary file on the boot volume equal to the size of physical RAM.
  4. If insufficient disk space is met, the dump file will still get generated, however the page file size on this volume is reduced.
  5. During first stage of the dump operation, the Session Manager Subsystem (SMSS.EXE) examines the page file head block to determine whether the file is a valid memory dump.
  6. If the file is valid, then SMSS.EXE truncates the page file to the size of the dump file and renames the file to Dumpxxx.tmp (the xxx value is calculated from the Lower Word of the tickcount function).
  7. SMSS stores the Dumpxxx.tmp file on the boot volume and sets a TempDestination value and a DumpFile value in a volatile registry subkey (HKLM\System\CurrentControlSet\Control\CrashControl\MachineCrash).
  8. SAVEDUMP.EXE reads this registry location to determine if a valid memory dump exists and copies the Dumpxxx.tmp file to Memory.dmp.

So do you think, we can get memory.dmp file if machine bugchecks and we get the disk directly attached to another machine or even by exposing the disk without rebooting the machine ?

Keep on thinking….