All Products: How to Create a Full/Complete Memory Dump Via Keyboard
search cancel

All Products: How to Create a Full/Complete Memory Dump Via Keyboard

book

Article ID: 288109

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To configure a Windows endpoint to generate Windows crash / memory dump reports using the keyboard. 

Environment

  • All Carbon Black Products
  • Microsoft Windows: All Supported Versions

Resolution

  1. Open Run or Command Prompt
  2. Type SystemPropertiesAdvanced and press ENTER.
  3. Under Startup and Recovery section, click Settings
  4. Under System Failure > Write debugging information select Complete memory dump
  5. Check Overwrite any existing file and make any desired changes to the "Dump file:" location
  6. Click OK to save the settings and exit the Startup and Recovery window
  7. Click OK to save and exit the System Properties window
  8. Follow the procedure in this Microsoft article to enable keyboard crashing:
    • https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard

 

Additional Information

  • The default location for the resulting crash dump file is C:\Windows\Memory.dmp
  • Resulting memory dumps can be provided to Carbon Black using CB Vault
  • This process is useful in situations where the endpoint is unresponsive (ie, "hung")
  • Some keyboards (such as on some laptop models) may not have a SCROLL LOCK button. If this is the case, it's recommended to plug in an external keyboard that has that key and trigger the crash dump that way. 
  • Alternatively, if an external keyboard is not available, the hex values in the reg files can be modified to represent other available keys.