How to configure Microsoft Windows Vista or Windows Server 2003 to produce a complete memory dump when the machine has more than 2 GB of memory.
search cancel

How to configure Microsoft Windows Vista or Windows Server 2003 to produce a complete memory dump when the machine has more than 2 GB of memory.

book

Article ID: 151502

calendar_today

Updated On:

Products

Endpoint Protection Network Access Control

Issue/Introduction

Symantec Technical Support has requested a full memory dump from your Windows Vista or Server 2003 system to troubleshoot an issue. However, in the Startup and Recovery options there are only options for "Kernel Memory Dump" and "Small Memory Dump". You would like to know how to configure the system for a complete memory dump.

 

Resolution

How to enable a Full / Complete Memory Dump:
This can be set in one of two ways, either through the Control Panel or through the Registry.

Note 1: The following Microsoft document contains guidelines for the size of the paging file / virtual memory and Boot.ini details.
Thoroughly reviewing this document is strongly advised before initiating a memory dump:
 

How to generate a kernel or a complete memory dump file in Windows Server 2003
http://support.microsoft.com/kb/972110/en-us


How to generate a kernel or a complete memory dump file in Windows Server 2008
http://support.microsoft.com/kb/969028

Note 2: Ensure that the system / boot drive is large enough and has enough free space to store the entire contents of memory plus one megabyte for a full memory dump.
In general, if the system has 1GB of memory (1024 MB) the "Initial size" field should be at least 1025 (This is total system memory size plus 1MB.)

Note 3: For systems with more than 2GB of memory, some Boot.ini options may need to be set. See "Note 1" for best guidance.

Note 4: It is possible to modify the Boot.ini using MSConfig.exe. This method is not the recommended methodology. See "Note 1" for the recommended methodology.

    1. Under the "Boot.ini" tab, click the "Advanced options" button.
    2. Select / check mark the option "/MAXMEM".
    3. Enter the page file size as determined in "Note 1".
    4. If this system is Windows 2000 then accomplish the section "GFlags".
    5. Reboot system to apply changes.



A) The Control Panel

    1. Double click the System applet -> Select the Advanced tab -> Located in the "Startup and Recovery" portion of the window, click the "Settings" button.
    2. Located in the "System failure" portion of the window, select / check mark the following item: "Write an event to the system log"
    3. Located in the "Write debugging information" portion of the window, select from the drop down items:
      1. "Complete memory dump" {If this is not an available option, accomplish the section "Set the Memory Dump Type:" and reboot.}
    4. Select / check mark the following item: "Overwrite any existing file"
    5. Press OK
    6. Located in the "Performance" portion of the window, click the "Settings" button.
    7. Select the "Advanced" tab.
    8. Located in the "Virtual memory" portion of the window, click the "Change" button.
    9. Highlight the system drive (Typically the "C:" drive.)
    10. Located in the "Paging file size for selected drive" portion of the window, select the radio button "Custom size:"
    11. Keeping in mind the total system memory plus 100 MB, enter the appropriate values for "Initial size (MB):" and "Maximum size (MB):"
    12. Click the "Set" button.
    13. Click the "OK" button.
    14. Click the "OK" button.
    15. Click the "OK" button.
    16. If this system is Windows 2000 then accomplish the section "GFlags".
    17. Reboot the system to apply all changes.



B) The Registry:

    1. Set the Virtual Memory / Paging File Size:
      {Even when you set the values properly through the Control Panel GUI, some systems don't retain your settings. If this happens, perform the following steps:}
      1. Start / Run Regedt32.exe (Do not use Regedit.exe)
      2. Navigate to the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
      3. Double-click the value "PagingFiles". The entry will appear as (For example):
        C:\pagefile.sys 700 700 {The first value is the location; the second is the minimum size in MB; and the third is the maximum size in MB.}
      4. Set the three values as required and click the "OK" button.
         
    2. 2. Set the Memory Dump Type:
      1. Navigate to the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
      2. Right-click the value "CrashDumpEnabled"
      3. Set the value to "1"
      4. Click the "OK" button.
      5. Close the Registry Editor.
      6. If this system is Windows 2000 then accomplish the section "GFlags".
      7. Reboot the system to apply all changes.
         
    Below are the options for "CrashDumpEnabled":
      • 1 = Complete Memory Dump
      • 2 = Kernel Memory Dump
      • 3 = Small Memory Dump



C) GFlags
In the process of creating the memory dump, system identifiers for processes in memory called "flags", need to be set. These "flags" allow for greater detailed analysis of the memory dump.
The "Gflags" utility is used to add this functionality and is installed by default on newer Microsoft operating systems.
In older OS's, this functionality has to added before the memory dump is generated.
 

    1. Run the Gflags.exe utility. If it is not on your system look in the SupportTools directory of your operating system media.
    2. Check the box "Enable pool tagging"
    3. Click OK
    4. Reboot



References
"How to configure system failure and recovery options in Windows." at: http://support.microsoft.com/kb/307973



Technical Information
A "Complete memory dump" is a dump of the contents of the "pagefile." Not all "System volumes" have enough space to hold a complete memory dump. As a result, on a computer running Microsoft Windows Server 2008 and Microsoft Windows Vista SP1, a dumpfile will not be generated.


Please refer to the following article from Microsoft for more information on how to overcome this situation:

"Kernel memory dump files may not be generated on Windows Server 2008-based and Windows Vista SP1-based computers when system memory is larger than the size of the page file." at:
http://support.microsoft.com/kb/949052

Complete memory dump generation is difficult if not impossible on Windows 2k/XP/2003 if the computer has over 2GB of RAM. It is possible to work around this issue by limiting the amount of memory visible to Windows. Two methods can be used to decrease the amount of visible memory to 2GB or less.

The first option is to use the /maxmem switch, which is detailed by Microsoft at the following link:

http://msdn.microsoft.com/en-us/library/ff557127.aspx

The second option, and the one recommended for Windows XP or 2003, is the /burnmemory switch. This is detailed by Microsoft at the following link:

http://msdn.microsoft.com/en-us/library/ff556246.aspx
 

Important: In case Windows does not save memory dump file after a crash, please check the Microsoft information: http://support.microsoft.com/kb/130536

How to generate a kernel or a complete memory dump file in Windows Server 2008
http://support.microsoft.com/kb/969028


Powered by Wolken Software