You have a system with Symantec Endpoint Protection (SEP) that crashes, hangs or experiences another severe performance issue and would like to know the steps to generate a complete memory dump, including the preparatory steps required to ensure the resulting dump is not corrupt, with the goal of adding it to an existing Symantec Support case, or to create a new one.

If the issue concerns a hang or other severe performance issue on a virtualized system:

• VMware: generate a snapshot, then follow the steps described in https://kb.vmware.com/kb/2003941 ("Converting a snapshot file to memory dump using the vmss2core tool") to convert it to a memory dump.
• Hyper-V: generate a snapshot using livekd, as described in https://blogs.msdn.microsoft.com/vimalsdesk/2014/11/23/taking-a-dump-of-a-vm-running-on-hyper-v/
• Citrix: follow the steps outlined in https://support.citrix.com/article/CTX123177 ("How to Trigger a Memory Dump from a Windows Virtual Machine Running on XenServer")

If the issue concerns a crash on either a virtualized or physical system, or a hang or other severe performance issue on a physical system:

1. Open Registry Editor (regedit.exe).
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\.
3. Double-click CrashDumpEnabled, change the value to 1 (1 = complete dump, 2 = kernel dump) and click OK.
4. Close Registry Editor.
5. Click the Start button, right-click Computer and select Properties. Click Advanced System Settings.
6. In the Performance area, click the Settings... button.
7. In the Performance Options window, navigate to the Advanced tab, then click the Change... button.
8. Click the Custom size radio button, then set both Initial size (MB) and Maximum size (MB) to at least the amount of system memory + 257 MB, by entering the correct value in each field and clicking the "Set" button when done. E.g. if the system has 4 GB of memory, set both fields to (4 x 1024) + 257 = 4353 MB. If the system has 8 GB of memory, set both fields to (8 x 1024) + 257 = 8449 MB.
9. After having made these changes, restart the system.
10. Reproduce the issue that leads to the crash. Alternatively, if the issue concerns a hang, download https://download.sysinternals.com/files/NotMyFault.zip and unpack the archive to C:\Windows. Open a Command Prompt (cmd.exe) window and, without pressing Enter at the end, type in the command notmyfault /accepteula /crash. Reproduce the issue, return to the Command Prompt window and press Enter to forcefully crash the system.

Following this, upload the resulting dump to an existing case (or create a new case) using SymDiag:

1. Download and run SymDiag: http://entced.symantec.com/symhelp/2/dl
2. Click Collect Data for Support.
3. In the Select Products section, tick Endpoint Protection Client and click Next.
4. In the Select Data Type section, under Data Type, select All data, tick Choose additional files to collect and click Next.
5. Below Choose additional files to collect, click the Browse... button, navigate to and select the dump created above (typically C:\Windows\MEMORY.DMP), then click the Open button, followed by the Next button.
6. After the data collection has finished, enter your name, company, case number, contact information and a brief description of the issue and click the Open or Update a Support Case button. Enter user name and password, then click the Login button.