Windows: Understanding Crash Dump Files

This post is a talk about the Crash Dump files, the different types of dumps, how the dumps themselves are generated and why you will need a correctly sized page file.  So, let's get started ... By default, all Windows systems are configured to attempt to capture information about the state of the operating system in the […]

This post is a talk about the Crash Dump files, the different types of dumps, how the dumps themselves are generated and why you will need a correctly sized page file.  So, let's get started ...

By default, all Windows systems are configured to attempt to capture information about the state of the operating system in the event of a system crash.  Remember that we are talking about a total system failure here, not an individual application failure.  The settings for the dump files are configured using the System tool in Control Panel.  Within this tool, select System Properties - on the Advanced tab there is a section for Startup and Recovery.  Clicking on the Settings button brings up the dump file options as shown below.  There are three different types of dump that can be captured when a system crashes:

Complete Memory Dump: This contains the entire contents of the physical memory at the time of the crash.  This type of dump will require that there is a page file at least the size of physical memory plus 1MB (for the header).  Because of the page file requirement, this is an uncommon setting especially for systems with large amounts of RAM.  Windows NT4 only supported a Complete Memory Dump.  Also, this is the default setting on Windows Server systems.

Kernel Memory Dump: A kernel dump contains only the kernel-mode read / write pages present in physical memory at the time of the crash.  Since this is a kernel-mode only dump, there are no pages belonging to user-mode processes.  However, it is unlikely that the user-mode process pages would be required since a system crash (bugcheck) is usually caused by kernel-mode code.  The list of running processes, state of the current thread and list of loaded drivers are stored in nonpaged memory that saves in a kernel memory dump.  The size of a kernel memory dump will vary based on the amount of kernel-mode memory allocated by the Operating System and the drivers that are present on the system.

Small Memory Dump: A small memory (aka Mini-dump) is a 64KB dump (128KB on 64-bit systems) that contains the stop code, parameters, list of loaded device drivers, information about the current process and thread, and the kernel stack for the thread that caused the crash.

Something to note here - although the need for a complete memory dump is rare when dealing with bugchecks, a complete memory dump is almost always required for manually generated crash dumps used to diagnose soft hangs on a system (for more information regarding the difference between a soft and hard hang, please see our Troubleshooting Server Hangs - Part One).  This is because when looking at soft hangs we will need to look at user-mode processes, deadlocks etc.  However, regardless of which type of dump you are capturing, there must be a correctly sized page file on the boot volume.  For complete dumps, as stated above, this page file will need to be Physical RAM + 1MB.

So in reviewing the three types of dumps above, the kernel memory dump offers the most practical option when dealing with system crashes and bugchecks.  Remember that the size of the kernel memory dumps will vary depending on the amount of kernel-mode memory allocated and the drivers loaded.  On systems with more RAM, it is reasonable to expect that the dump file will be larger.  There is no way to predict the exact size of a kernel memory dump.  When you configure kernel memory dumps the system checks to see if the page file is large enough.  There are some guidelines for the minimum page file size needed for kernel memory dumps, however given that the size of kernel mode memory will vary, there is no accurate measure for the maximum.  The default minimum page file sizes for kernel dumps are shown below:

Physical RAMMinimum Page File Size (Kernel Dump)
< 128MB50MB
< 4GB200MB
< 8GB400MB
>= 8GB800MB

If you are concerned about setting the maximum page file size too low to be able to capture a kernel dump, the only way to get a better estimate would be to force a manual crash using the CrashOnCtrlScroll method described in Microsoft KB Article 244139.  Once the system has rebooted, check to see if a kernel dump was generated and check the size.  The other alternative (for 32-bit systems) would be to set the page file on the boot volume equal to 2GB + 1MB.  This is because the maximum kernel-mode address space available on 32-bit systems is 2GB. 

Full Article

Additional Resources:

Windows, Crash, Dump, Crash Dump,  Architecture, Memory Management, Performance, Troubleshooting, Debugging