Some times it’s really important to know and understand, the root cause for machine getting into hung or crash situation. We do get memory dump and get it analyzed to find the solution but what if we are not getting memory dump.
Before we start we must understand memory dump and its kind. Also need to understand what information we can get from different kind of memory dump so that we can configure it properly.

What is Memory Dump?

  • Contents of the physical memory at the time of the crash.
  • There are three different types of dump that can be captured when a system crashes:
    1. Small Dump
    2. Kernel Dump
    3. Complete Memory Dump
  • We can capture Process dump as well.

What is Small Memory Dump?

Small memory (aka Mini-dump) is a 64KB dump (128KB on 64-bit systems) that contains the stop code, parameters, list of loaded device drivers, information about the current process and thread, and the kernel stack for the thread that caused the crash.
This dump file type includes the following information

  • The Stop message and its parameters and other data
  • A list of loaded drivers
  • The processor context (PRCB) for the processor that stopped
  • The process information and kernel context (EPROCESS) for the process that stopped
  • The thread information and kernel context (ETHREAD) for the thread that stopped
  • The Kernel-mode call stack for the thread that stopped

What is Kernel Memory Dump?

A kernel dump contains only the kernel-mode read / write pages present in physical memory at the time of the crash. There are no pages belonging to user-mode processes. The list of running processes, state of the current thread and list of loaded drivers are stored in non-paged memory that saves in a kernel memory dump. The size of a kernel memory dump will vary based on the amount of kernel-mode memory allocated by the Operating System and the drivers that are present on the system.

Physical Ram

Min. Page File Size

<128MB

50MB

<4GB

200MB

<8GB

400MB

>=8GB

800MB

What is Complete Memory Dump?

This contains the entire contents of the physical memory at the time of the crash. This type of dump will require that there is a page file at least the size of physical memory plus 150MB (for the header). Because of the page file requirement, this is an uncommon setting especially for systems with large amounts of RAM.

If we have to have memory dump on every crash we need to understand the importance of pagefile and its configuration.

Page File Configuration on Root Drive

  • Click Start, right-click Computer, and then click Properties.
  • Click Advanced system settings on the System page, and then click the Advanced tab.
  • Click Settings under the Performance area.
  • Click the Advanced tab, and then click Change under the Virtual memory area.
  • Select the system partition where the operating system is installed.

Note: To enable the system partition, you have to click to clear the Automatically manage paging file size for all drives check box.
Set the value of Initial size and Maximum size to the amount of physical RAM that is installed plus 1 megabyte (MB) under the Custom Size button.

  • Click Set, and then click OK three times.
  • Restart Windows in order for your changes to take effect.
Pagefile Configuration

Pagefile Configuration

Page File Configuration on Other Drive

  • In Windows Vista and Windows Server 2008, to get a Memory Dump, the paging file does not have to be on the same partition as the partition on which the operating system is installed as was the requirements of previous versions.
  • To create the DedicatedDumpFile and DumpFileSize registry entries, follow these steps:
    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
    3. Create new String Value with name DedicatedDumpFile where Value data will be the path <drive>:\<dedicateddumpfile.sys>, and then click OK.
    4. Created new DWORD value named DumpFileSize where value will be in MB with Decimal under base.
    5. Right-click DumpFile, and then click Modify.In the Value data box, type <drive>:\<path>\Memory.dmp, and then click OK.
    6. Exit Registry Editor.
  • Restart Windows in order for your changes to take affect

At times we might face resource limitation however it is important to get memory dump in order to fix the issue .

Reducing Physical RAM size

  • To reduce the physical memory on the computer, use the truncatememory or removememory switches in the BCDEdit.exe in Server 2008 and other machine.
  • To reduce the physical memory on the computer, use the /maxmem or /burnmem switches in the boot.ini in Server 2003.
  • On a 32-bit version of Windows Server 2008 that has Physical Address Extension (PAE) enabled, the paging file can extended beyond 4 GB (4,096 MB) in size.
  • To verify if PAE is enabled, follow these steps:
    1. Click Start, click Run, type Regedit, and then click OK.
    2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
    3. Check PhysicalAddressExtension, and then click Modify.
    4. In the Edit DWORD Value dialog box, check the value of the PhysicalAddressExtension entry. If the value of the PhysicalAddressExtension entry is zero (0), PAE is disabled. If the value of the PhysicalAddressExtension entry is 1, PAE is enabled.
  • Restart Windows in order for your changes to take effect.

Enable Complete Memory Dump

To enable the Complete memory dump option, manually set the CrashDumpEnabled registry entry to 0x1 under the following registry subkey and restart Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

Usually memory dump gets generated on every crash however in VM hung situation we have to go for creating crash situation manually. Which we can achieve by various method however I am mentioning few among them :

 

Method 01 :: Right Ctrl + Scroll Lock +Scroll Lock

  • Check keyboard type(USB or PS2) and make changes in registry as follows.
    • For USB

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters

    • For PS-2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

  • Create registry Entry

Name : CrashOnCtrlScroll Data Type: REG_DWORD Value : 1

Note : 

Please don’t use KVM switch[dongle to get connected to multiple machine], Keyboard should be dedicated to the machine .

Method 02: Not my Fault

  • Download the NotMyFault tool from the following Microsoft Web site:  Notmyfault.zip
  • Click Start, locate and right-click Command Prompt, and then click Run as administrator.
  • At the command line, type NotMyfault.exe /crash, and then press ENTER.

 BSOD “Stop D1″ error.

Method 03: NMI – Non Maskable Interrupt

  • Make changes in the registry key location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl  Name : NMICrashDump Data Type: REG_DWORD Value : 1

  • Enable the NMI switch in the BIOS or by using the Integrated Lights Out Web interface.
  • Disable Automatic System Recovery (ASR) feature in BIOS.
  • Error in BSOD , STOP 0x00000080 hardware malfunction

Method 04: Windbg remotely through Null modem Cable

  • On Trouble facing machine , boot.ini

/debug /debugport=com1 /baudrate=57600

  • Boot the server in debug mode.
  • Remote computer setting:
    1. Run WinDBG. In Kernel Debug.
    2. Set the baud rate to 57600, set the COM port to 1, click OK, and then click No to save the workspace.
    3. On the Debug menu, click Break.
    4. After you receive the message that states that you have pressed CTRL+BREAK, type .crash.
    5. On the File menu, click Exit, and then click No to save the workspace.

Method 05: Hyper-V virtual machine Tool : vm2dmp

  • Create a dump file from virtual machine:   vm2dmp.exe –vm <machinename> -dmp C:\VM\memory.dmp 
  • Create a dump file from snapshot’s state:  vm2dmp.exe –vm <machinename> –snap “<machinename –snapshot>” -dmp C:\VM\memory.dmp
  • Create a dump file using virtual machine state files:  vm2dmp.exe -bin C:\VM\example.bin -vsv C:\VM\example.vsv -dmp C:\VM\memory.dmp

http://archive.msdn.microsoft.com/vm2dmp

Method 06 : VMWARE Virtual machines Tool : vmss2core

  • Create a snapshot or suspend the virtual machine.
  • Locate the snapshot (.vmsn) or suspend file (.vmss) in the virtual machine directory.

Steps to convert the snapshot file to a memory dump (.dmp file):

  1. Open up an administrative command prompt and go to the location where the snapshot and suspend files are located.
  2. Run the following commands for VMs running on ESX server:    Vmss2core –W <Vmsn file> or <Vmss file> 
  3. Hit Enter and the memory dump will be generated in the current directory.

Note: Install VMware Workstation on your windows host machine and you can get vmss2core tools in the following location “ C:\Program Files\VMware\VMware Workstation”

Method 07: WMIC

wmic /node:<machine.name> process where(caption=”csrss.exe”) call terminate

Reference
http://msdn2.microsoft.com/en-us/library/aa394531.aspx

Method 08 : CRASH.EXE

  • Installed the Crash.exe tool,use it as default debugger.
  • To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
  • In Debugger registry value, type the full path of the Crash.exe file in the Value data box, and then click OK .
  • Microsoft doesn’t provide support on this.

Method 09 : Psexec

Command ::  psexec \\remotecomp.name –c Application.exe“
Application.exe :: Notmyfault , crash.exe , etc.
Process Explorer , Task manager and many more application may lead to crash situation.