Create a full memory dump

book

Article ID: 179911

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

Overview

You need to create a full memory dump on a Windows computer, and provide the dump to Symantec. Before you begin, see Overview of memory dump file options for Windows on Microsoft.com for an overview and best practices of the memory dump process.

See How to configure system failure and recovery options in Windows for additional guidance.

Check the page file settings

  1. In Windows, navigate to Start > Control Panel > System > Advanced system settings. The System Properties window appears.
  2. In the Advanced tab, under Performance, click Settings.
  3. Click the Advanced tab.
  4. Under Virtual Memory, click Change.
  5. Ensure that the page file on the boot drive is large enough to store the entire contents of the computer's memory, plus one megabyte. For example, if the computer has 1 gigabyte of memory (1024 megabytes), the "Initial size" field should be at least 1025 (memory size plus 1 MB). Adjust the page file size if necessary
  6. Click Set.
  7. Click OK.
  8. Dismiss any "reboot required" dialog boxes; you will restart later.
  9. Click OK.
  10. Leave the System Properties window open and proceed to the next section.

Enable complete memory dumps

Memory dumps represent the entire contents of all system memory written to disk.  The standard rule of thumb to ensure that there is enough free disk space to capture a full memory dump is:

Free Disk Space = All of Physical Memory + 1 MB

If the computer itselt cannot provide enough free disk space, you can attach an NTFS formatted USB drive that has enough free disk space

To enable complete memory dumps:

  1. In the System Properties windows, under Startup and Recovery, click Settings.
  2. From the Write debugging information drop-down menu, select Complete memory dump.
  3. Check Overwrite any existing file.
  4. Click OK.
  5. A message about pagefile requirements may appear; if it does, click Yes.
  6. Click OK.

Note: If the Complete memory dump option is missing from the drop-down menu, you can enable it through the registry instead.  See How to generate a kernel or a complete memory dump file in Windows Server on Microsoft.com for more information.

 

After a blue screen crash

When a blue screen crash occurs, it will write the contents of system memory to the page file.

IMPORTANT: Write down the Stop Code displayed on-screen.

Upon restarting, a process called savedump.exe copies the contents from the page file to the MEMORY.DMP file on disk. Do not interrupt the savedump.exe process while it is running; otherwise the MEMORY.DMP file will be truncated and possibly corrupted.

To confirm that the memory dump process is finished, watch the process in Task Manager until it is completed, to ensure the memory dump is completely written.

The resulting MEMORY.DMP file can be quite large.  However most of the contents are zeroed memory, so it should compress to a much smaller size. A one gigabyte memory dump will usually compress down to 100-300 megabytes, which will allow for much easier transfer across the network.

CAUTION: Some zip compression routines have been known to corrupt the original file if it is over 2GB in size. For original files over 2GB in size, Symantec recommends one of the following options:

  • Use RAR compressions to compress the original file.
  • Copy the original file to a removable, NTFS formatted USB drive and ship it to Symantec. Symantec's policy is to return the media once the data analysis is complete.

More on non full memory dumps

The more complex the issue, the more detail that is required to effectively analyze and determine root cause. While kernel dumps or other types of memory dumps may contain the minimum data required, Symantec may require additional data to effectively determine root cause.

Depending on the primary function of the system that is experiencing the issue (DNS server, Exchanges server, firewall, etc.)and which generates the dumpyou may find that scheduling maintenance time to gather additional data is problematic. Further discussion may be necessary to decide what type of dump to generate.

Note: In general, a mini-dump (Microsoft default.) or a ADPlus dump are not informative enough for effective root cause analysis.

Technical information

To learn how to generate a kernel or a complete memory dump file in Windows Server 2008, see http://support.microsoft.com/kb/969028

Collecting a complete memory dump on Windows 2000, XP, or 2003 computers with over 2 GB of RAM can be difficult. You can work around this issue by limiting the amount of memory visible to Windows, using one of the following options:

For more detail on how to accomplish a full dump on these operating systems, see http://support.microsoft.com/kb/254649/

You may need to initiate the memory dump as an administrator if the issue under investigation does not cause the system to crash. There are two commonly accepted methodologies for causing a computer to generate a memory dump:

Attachments

BANG_v21.zip get_app