You need to create a full memory dump on a Windows computer, and provide the dump to Symantec. Before you begin, see Overview of memory dump file options for Windows on Microsoft.com for an overview and best practices of the memory dump process.
See How to configure system failure and recovery options in Windows for additional guidance.
Memory dumps represent the entire contents of all system memory written to disk. The standard rule of thumb to ensure that there is enough free disk space to capture a full memory dump is:
If the computer itselt cannot provide enough free disk space, you can attach an NTFS formatted USB drive that has enough free disk space
Note: If the Complete memory dump option is missing from the drop-down menu, you can enable it through the registry instead. See How to generate a kernel or a complete memory dump file in Windows Server on Microsoft.com for more information.
When a blue screen crash occurs, it will write the contents of system memory to the page file.
IMPORTANT: Write down the Stop Code displayed on-screen.
Upon restarting, a process called savedump.exe copies the contents from the page file to the MEMORY.DMP file on disk. Do not interrupt the savedump.exe process while it is running; otherwise the MEMORY.DMP file will be truncated and possibly corrupted.
To confirm that the memory dump process is finished, watch the process in Task Manager until it is completed, to ensure the memory dump is completely written.
The resulting MEMORY.DMP file can be quite large. However most of the contents are zeroed memory, so it should compress to a much smaller size. A one gigabyte memory dump will usually compress down to 100-300 megabytes, which will allow for much easier transfer across the network.
CAUTION: Some zip compression routines have been known to corrupt the original file if it is over 2GB in size. For original files over 2GB in size, Symantec recommends one of the following options:
The more complex the issue, the more detail that is required to effectively analyze and determine root cause. While kernel dumps or other types of memory dumps may contain the minimum data required, Symantec may require additional data to effectively determine root cause.
Depending on the primary function of the system that is experiencing the issue (DNS server, Exchanges server, firewall, etc.)—and which generates the dump—you may find that scheduling maintenance time to gather additional data is problematic. Further discussion may be necessary to decide what type of dump to generate.
Note: In general, a mini-dump (Microsoft default.) or a ADPlus dump are not informative enough for effective root cause analysis.
To learn how to generate a kernel or a complete memory dump file in Windows Server 2008, see http://support.microsoft.com/kb/969028
Collecting a complete memory dump on Windows 2000, XP, or 2003 computers with over 2 GB of RAM can be difficult. You can work around this issue by limiting the amount of memory visible to Windows, using one of the following options:
For more detail on how to accomplish a full dump on these operating systems, see http://support.microsoft.com/kb/254649/
You may need to initiate the memory dump as an administrator if the issue under investigation does not cause the system to crash. There are two commonly accepted methodologies for causing a computer to generate a memory dump:
bang [-s]: where -s indicates to automatically crash the system