EWF and Crash dumps: How to generate kernel dump file or a complete memory dump file

Crash dumps can be configured via the control panel or by editing the relevant registry entries (KB307973). Crash dumps (.dmp files) arenot created at the time of crash. Instead, dump data is written to page file. Later on next reboot, this page file is truncated, renamed & moved to its final destination (as configured by […]

Crash dumps can be configured via the control panel or by editing the relevant registry entries (KB307973). Crash dumps (.dmp files) arenot created at the time of crash. Instead, dump data is written to page file. Later on next reboot, this page file is truncated, renamed & moved to its final destination (as configured by user). By default, paging file on the boot volume is used. If having a paging file on boot volume isnot feasible, separate paging file can be dedicated for generating crash dumps, as outlined. At the time of crash, dump data is written directly to sectors occupied by page file. This bypasses the file system filters and storage volume filters such as EWF. To configure a custom paging file for use with crash dumps refer to the instructions in KB969028. The relevant section is titled “New behavior in Windows Vista and Windows Server 2008”. After following instructions in KB article, verify new paging file was indeed created. For e.g., if you specified D:\MyDedicatedDumpFile.sys as your custom paging file, verify this file actually exists on D:. EWF in its current implementation blocks using any protected volume for crash dumps. To generate crash dumps use dedicated paging file on unprotected volume. Use dedicated paging file as outlined in the section above. This paging file and final destination for crash dump should be located on an unprotected volume. Test this setup by manually initiating a crash. Details can be found in KB972110. Relevant section is titled “Generate a manual memory dump using Keyboard”.
 

[Source]