╔═══════════════════════════════════════
║ Instructions - Debugging - Dump Configuration and Initiation
┌───────────────────────────────────────
│ References
• NotMyFault
• Windows Sysinternals
• Operating System Version
• User Account Control
┌───────────────────────────────────────
│ Conventions
• %SYSTEMDRIVE% and %SYSTEMROOT% are SYSTEM environment variables whose values may be determined at the cmd.exe prompt with the command 'set'.
• 'Bugcheck' or 'Stop Error' are the correct technical terms for what is mischaracterized as a 'Blue Screen of Death/BSOD'.
· A bugcheck:
· is often perceived by users as a 'crash'.
· is almost always due to a non-Microsoft, third-party kernel mode module.
· is not a crash, it is an intentional stop of the operating system.
· is deliberate because kernel mode modules have complete operating system control and can therefore jeopardize operating system integrity and user data.
· alerts the user and prevents user data corruption or loss.
· ~99% of bugchecks are kernel mode anomaly detections.
· A kernel mode anomaly will result in the operating system triggering a bugcheck.
· ~1% of bugchecks are user mode critical system service failures.
· A user mode critical system service failure will result in the operating system triggering a bugcheck.
• This document assumes that the defaults are used for all items.
· e.g. Windows 6.x and uplevel allow a different paging file to be specified for dumps.
┌───────────────────────────────────────
│ Notes
____________________
Manually-Initiated Bugcheck
· A manually-initiated bugcheck can be triggered by the user.
· The resultant dump file:
· is a snapshot of the content of the computer's physical memory (RAM).
· can be researched to detect problems.
____________________
Microsoft Bugcheck KBs
· Microsoft bugcheck KBs:
· claim support for specific architectures and/or versions of Windows.
· are often not kept current despite applicability to architectures or versions of Windows subsequent to the KB’s publication.
· should be tested if questions of applicability arise.
┌───────────────────────────────────────
│ Configure - Physical Memory
• Keep note of how much physical memory (RAM) is installed for mass storage space and paging file requirements.
· Open: Control Panel
· In the droplist 'View by', select: Small icons
· Click: System
· The 'System' window will appear.
· In the section 'System', locate: Installed memory (RAM)
┌───────────────────────────────────────
│ Configure - Mass Storage Volume
• The virtual memory paging file and the dump file generated by the bugcheck will collectively and conservatively require free mass storage space on the '%SYSTEMDRIVE%' volume equal to or greater than 3x physical memory (RAM). Ensure this free mass storage space exists.
· Open: File Explorer
· Right-Click: The '%SYSTEMDRIVE%' volume
· Select: Properties
· The 'Properties' window will appear.
· In the 'Properties' window, locate: Free space
• When bugchecking, Microsoft Windows copies the contents of physical memory (RAM) to a virtual memory paging file.
· Default: %SYSTEMDRIVE%\pagefile.sys
· The virtual memory paging file location used for bugchecks can be changed in Windows 6.x and uplevel if '%SYSTEMDRIVE%' has insufficient free mass storage space.
• During the post-bugcheck boot, Microsoft Windows copies the dump from the virtual memory paging file to the destination dump file indicated in the computer's configuration.
· Default: %SYSTEMROOT%\Memory.dmp
· The destination dump file location can be changed in Windows 5.x and uplevel if the volume hosting '%SYSTEMROOT%' has insufficient free mass storage space.
┌───────────────────────────────────────
│ Configure - Virtual Memory Paging File
• Determine whether the computer is managing the virtual memory paging files sizes, or whether they are configured manually.
· Open: Control Panel
· In the droplist 'View by', select: Small icons
· Click: System
· The 'System' window will appear.
· Select: Advanced system settings
· If a UAC prompt is displayed click: Yes
· Select tab: Advanced
· Under 'Performance', click: Settings
· The 'Performance Options' window will appear.
· Select tab: Advanced
· In the section 'Virtual Memory', click: Change
• Regardless of the current setting, the objective is to make the virtual memory paging file '%SYSTEMDRIVE%\pagefile.sys' greater than or equal to 'physical memory (RAM) + 100MB'.
· Although the operating system 'should' provision the necessary virtual memory paging file, manual configuration will guarantee that the virtual memory paging file is of adequate size.
• If a change is made to the virtual memory paging file configuration then reboot before proceeding with 'Configure - Dump Settings'.
· Until a reboot is performed virtual memory paging file configuration changes implemented may, or may not, be active.
• Windows 5.0-5.2 x86
· How to overcome the 4,095 MB paging file size limit in Windows
• Windows 5.2-6.3 x64
· How to determine the appropriate page file size for 64-bit versions of Windows
┌───────────────────────────────────────
│ Configure - Dump Settings
• Configure the current dump settings.
· Open: Control Panel
· In the droplist 'View by', select: Small icons
· Click: System
· The 'System' window will appear.
· Select: Advanced system settings
· If a UAC prompt is displayed click: Yes
· Select tab: Advanced
· In the section 'Startup and Recovery', click: Settings
· The 'Startup and Recovery' window will appear.
· In the section 'System failure', locate: Write debugging information
· In the section 'Write debugging information', locate: an unlabeled 'Dump type' droplist
· In the unlabeled 'Dump type' droplist, select either:
· Kernel memory dump
· A 'Kernel memory dump' will record only Kernel Mode memory.
· Complete memory dump
· A 'Complete memory dump' will record both Kernel and User Mode memory.
· If 'Complete memory dump' is appropriate but is not an option in the unlabeled 'Dump type' droplist:
· For all windows opened within this instruction section 'Configure - Dump Settings', click: Cancel or Close
· In regedit.exe, set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled REG_DWORD 0x1
· Repeat the instruction section 'Configure - Dump Settings'.
· Click: OK
· The 'Startup and Recovery' window will close.
· Click: OK
· The 'System Properties' window will close.
· Close the 'System' window.
• Windows 5.0-6.2
· Overview of memory dump file options for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2
• Windows 5.0-5.2
· How to configure system failure and recovery options in Windows
• Windows 6.0-6.1
· How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2
┌───────────────────────────────────────
│ Bugcheck Testing
• Before relying on manually-initiated bugcheck methods, if possible test and validate the selected manually-initiated bugcheck method on the affected computer prior to investigation.
· Using debugging software, ensure that the resultant dump file is intact (i.e., not truncated or corrupt).
┌───────────────────────────────────────
│ Procedures - Operating System-Initiated Bugcheck
• If the operating system is initiating bugchecks due to an undiagnosed problem then:
· no manually-initiated bugcheck procedures are required.
· await an operating system-initiated bugcheck.
┌───────────────────────────────────────
│ Procedures - Manually-Initiated Bugcheck
• If the operating system will be manually bugchecked:
· There are three methods to manually initiate a bugcheck: Software, Keyboard, and NMI (Non-Maskable Interrupt).
· 'Software' method:
· Useful if the operating system is responding.
· May be useful if the operating system appears to be hung but is still capable of executing a Windows Scheduled Task invoking the Command-Line Sub-Method (below).
· Useful with hardware computers and VMs.
· 'Keyboard' method:
· Useful if the operating system is responding.
· Useful when the operating system appears to be hung.
· Useful with hardware computers.
· 'NMI' method:
· Useful when the operating system appears to be hung.
· Useful with hardware computers equipped with an NMI button or Hyper-V 3.x and uplevel VMs.
____________________
Software Method
· Windows 5.1 and Uplevel
· Download: Sysinternals Suite
· Expand the archive to a temporary folder.
· GUI Sub-Method:
· In explorer.exe:
· Navigate to the temporary folder.
· Start:
· x86: notmyfault.exe
· x64: notmyfault64.exe
· If a UAC prompt is displayed, click: Yes
· If a EULA dialog is displayed, click: OK
· Select the tab: Crash
· Select the radio button: High IRQL fault (Kernel-mode)
· Click the button: Crash
· A bugcheck will occur.
· Command-Line Sub-Method:
· In an administrative, UAC-elevated cmd.exe prompt:
· Navigate to the temporary folder.
· Execute:
· x86: notmyfaultc.exe crash 1
· x64: notmyfaultc64.exe crash 1
· If a UAC prompt is displayed, click: Yes
· If a EULA dialog is displayed, click: OK
· A bugcheck will occur.
____________________
Keyboard Method
· Windows 5.0 and Uplevel
· If the available keyboard does not have:
· a dedicated 'RIGHT CTRL' key (i.e. a 'CTRL' key at the right of the spacebar).
· a dedicated 'SCROLL LOCK' key (i.e. a 'SCROLL LOCK' key that is not accessed via an 'Fn' key).
· then connect a keyboard with the appropriate keys:
· Windows 5.0-5.1 must use a PS/2 keyboard.
· Windows 5.2 and uplevel may use either a PS/2 or USB keyboard.
· Keyboards without these dedicated keys may not function with this procedure.
· Configure the 'RIGHT CTRL + SCROLL LOCK + SCROLL LOCK' bugcheck key sequence.
· In regedit.exe, set:
· For a PS/2 keyboard: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters CrashOnCtrlScroll REG_DWORD 0x1
· For a USB keyboard: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters CrashOnCtrlScroll REG_DWORD 0x1
· Reboot.
· After the reboot, at the appropriate time to bugcheck the computer:
· Press and hold: RIGHT CTRL
· Press and release: SCROLL LOCK
· Press and release: SCROLL LOCK
· A bugcheck will occur.
· Windows 5.2-6.1
· Forcing a System Crash from the Keyboard
· Windows 5.2-6.0 Hotfix
· Windows feature lets you generate a memory dump file by using the keyboard
____________________
NMI Method - Hardware Computer
· Windows 5.0 and Uplevel
· At the appropriate time to bugcheck the computer:
· Press: NMI hardware button
· A bugcheck will occur.
· Windows 5.0-6.2
· How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
____________________
NMI Method - Hyper-V 3.x and Uplevel
· Hyper-V 3.x Host with a Windows 6.x and Uplevel Guest VM
· This method requires an NMI configuration to be established on the guest VM to be bugchecked.
· How to generate a complete crash dump file or a kernel crash dump file by using an NMI on a Windows-based system
· This method requires the Hyper-V PowerShell Module on the host.
· Essential PowerShell Cmdlets For Managing Hyper-V
· Get a kernel dump of a 2012 R2 Hyper-V server with Powershell
┌───────────────────────────────────────
│ Credits
Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.
I am Christopher Etter, a Professional Services consultant.
Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!