Чем открыть файл дампа памяти Windows MEMORY.DMP

Многие знакомы с «синим экраном смерти» или BlueScreen. Синий экран появляется когда в работе Windows возникает критическая ошибка, что приводит к остановке работы операционной системы. При этом операционная система создает дамп памяти, в который записывает отладочную информацию и добавляет запись в журнал событий.

В Windows существуют два типа дампа памяти — малый дамп (minidump) и полный дамп.
Minidump находится в директории C:\Windows\Minidump и его название имеет примерно такой вид Mini051819-01.dmp.
Полный дамп располагается в папке C:\Windows и называется MEMORY.DMP.

Просмотр и анализ файла минидампа.

Для просмотра и анализа файла минидампа можно воспользоваться достаточно простой и удобной утилитой BlueScreenView от Nirsoft, которую можно скачать с официального сайта https://www.nirsoft.net/utils/blue_screen_view.html .

Для просмотра минидампа достаточно перетащить файл в окно программы и тут же загрузится отладочная информация. Красным будут подсвечены модули вызвавшие ошибку. В случае представленном на скриншоте выше это был драйвер tcpip.sys.

Щелкнув по имени файла минидампа можно запустить поиск решения в Google.

Но эта программа не способна обработать полный дамп памяти Windows — memory.dmp.

Просмотр полного дампа памяти MEMORY.DMP.

Чтобы посмотреть содержимое полного дампа памяти необходимо открыть файл MEMORY.DMP при помощи утилиты WinDBG, которая входит в пакет Microsoft Windows SDK. Скачать эту утилиту можно с официального сайта Майкрософт по этой ссылке https://developer.microsoft.com/ru-ru/windows/downloads/windows-10-sdk .

Установка и настройка WinDBG.

Запускаем установку пакета Windows Software Development KIT и на этапе выбора компонентов отмечаем «Debugging Tools for Windows».

При первом запуске WinDBG необходимо выполнить настройку сервера отладочных символов.
1. Переходим в меню File > Symbol File Path и вставляем строку:

где C:\symbol_cache — это директория куда будут загружаться символы.

2. Сохраняем настройку File > Save Workspace.

Просмотр и анализ файла MEMORY.DMP.

Открываем файл MEMORY.DMP: File > Open Crash Dump. Начинается процесс загрузки отладочных символов, в этот момент внизу будет видна надпись: Debugee not connected.

По окончанию загрузки появится подсказка: «для анализа этого файла запустите !analize-v».

Щелкаем по надписи !analize-v и запускается анализ дампа. В этот момент в строке состояние будет надпись *BUSY*.

По завершении обработки файла дампа памяти Windows нам необходимо найти среди полученной информации модуль, который вызвал сбой в работе. Найти сбойный модуль можно в строках MODULE_NAME и IMAGE_NAME.

В моем случае произошел сбой в работе драйвера srv.sys. В строке MODULE_NAME имя представлено в виде ссылке, щелкнув по которому можно получить информацию о модуле.

После выявления драйвера послужившего причиной сбоя в работе Windows и появления «Синего экрана смерти» необходимо попытаться обновить его.

Большинство проблем с драйверами решаются их обновлением.

Automatic Memory Dump

An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is not in the dump file itself, but in the way that Windows sets the size of the system paging file.

If the system paging file size is set to System managed size, and the kernel-mode crash dump is set to Automatic Memory Dump, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.

If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. The time of this event is recorded here in the Registry:

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\LastCrashTime

The increased paging file size stays in place for 4 weeks and then returns to the smaller size. If you want to return to the smaller paging file before 4 weeks, you can delete the Registry entry.

To see the paging file settings, go to Control Panel > System and Security > System > Advanced system settings. Under Performance, select Settings. On the Advanced tab, under Virtual memory, select Change. In the Virtual Memory dialog box, you can see the paging file settings.

The Automatic Memory Dump file is written to %SystemRoot%\Memory.dmp by default.

The Automatic Memory Dump is available in WindowsВ 8 and later.

NoteВ В To suppress missing page error messages when debugging an Automatic Memory Dump, use the .ignore_missing_pages command.

How to read the small memory dump file that is created by Windows if a crash occurs

This article describes how to examine a small memory dump file. A small memory dump file can help you determine why your computer crashed.

Original product version: В Windows 10 — all editions, Windows Server 2012 R2
Original KB number: В 315263

If you are looking for debug information for Windows 8 or later, please check Debugging Tools for Windows (WinDbg, KD, CDB, NTSD). For more information about small memory dump, please check Small Memory Dump.

Small memory dump files

If your computer crashes, how can you find out what happened, fix the issue and it prevent it from happening again? You may find the small memory dump file useful in this situation. The small memory dump file contains the smallest amount of useful information that could help you identify why your computer crashed. The memory dump file contains the following information:

• The Stop message, its parameters, and other data
• A list of loaded drivers
• The processor context (PRCB) for the processor that stopped
• The process information and kernel context (EPROCESS) for the process that stopped
• The process information and kernel context (ETHREAD) for the thread that stopped
• The Kernel-mode call stack for the thread that stopped

To create a memory dump file, Windows requires a paging file on the boot volume that is at least 2 megabytes (MB) in size. On computers that are running Microsoft Windows 2000, or a later version of Windows, a new memory dump file is created each time that a computer crash may occur. A history of these files is stored in a folder. If a second problem occurs and if Windows creates a second small memory dump file, Windows preserves the previous file. Windows gives each file a distinct, date-encoded file name. For example, Mini022900-01.dmp is the first memory dump file that was generated on February 29, 2000. Windows keeps a list of all the small memory dump files in the %SystemRoot%\Minidump folder.

The small memory dump file can be useful when hard disk space is limited. However, because of the limited information that is included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

Configure the dump type

To configure startup and recovery options to use the small memory dump file, follow these steps.

Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

Click Start, and then click Control Panel.

Double-click System, and then click Advanced system settings.

Click the Advanced tab, and then click Settings under Startup and Recovery.

In the Write debugging information list, click Small memory dump (64k).

To change the folder location for the small memory dump files, type a new path in the Dump File box or in the Small dump directory box, depending on your version of Windows).

Tools to read the small memory dump file

Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file has been created correctly.

The Dump Check Utility does not require access to debugging symbols. Symbol files hold a variety of data which are not actually needed when running the binaries, but which could be very useful in the debugging process.

For more information about how to use Dump Check Utility in Windows NT, Windows 2000, Windows Server 2003 or Windows Server 2008, see Microsoft Knowledge Base article 156280: How to Use Dumpchk.exe to check a memory dump file.

For more information about how to use Dump Check Utility in Windows XP, Windows Vista or Windows 7, see Microsoft Knowledge Base article 315271: How to use Dumpchk.exe to check a Memory Dump file.

Or, you can use the Windows Debugger (WinDbg.exe) tool or the Kernel Debugger (KD.exe) tool to read small memory dump files. WinDbg and KD.exe are included with the latest version of the Debugging Tools for Windows package.

To install the debugging tools, see the Download and Install Debugging Tools for Windows webpage. Select the Typical installation. By default, the installer installs the debugging tools in the following folder:

C:\Program Files\Debugging Tools for Windows

This Web page also provides access to the downloadable symbol packages for Windows. For more information about Windows symbols, see Debugging with Symbols, and the Download Windows Symbol Packages webpage.

For more information about dump file options in Windows, see Overview of memory dump file options for Windows.

Open the dump file

To open the dump file after the installation is complete, follow these steps:

Click Start, click Run, type cmd , and then click OK.

Change to the Debugging Tools for Windows folder. To do this, type the following at the command prompt, and then press ENTER:

To load the dump file into a debugger, type one of the following commands, and then press ENTER:

The following table explains the use of the placeholders that are used in these commands.

Placeholder	Explanation
SymbolPath	Either the local path where the symbol files have been downloaded or the symbol server path, including a cache folder. Because a small memory dump file contains limited information, the actual binary files must be loaded together with the symbols for the dump file to be correctly read.
ImagePath	The path of these files. The files are contained in the I386 folder on the Windows XP CD-ROM. For example, the path may be C:\Windows\I386 .
DumpFilePath	The path and file name for the dump file that you are examining.

Sample commands

You can use the following sample commands to open the dump file. These commands assume the following:

• The contents of the I386 folder on the Windows CD-ROM are copied to the C:\Windows\I386 folder.
• Your dump file is named C:\Windows\Minidump\Minidump.dmp .

Sample 2. If you prefer the graphical version of the debugger instead of the command-line version, type the following command instead:

Examine the dump file

There are several commands that you can use to gather information in the dump file, including the following commands:

• The !analyze -show command displays the Stop error code and its parameters. The Stop error code is also known as the bug check code.
• The !analyze -v command displays verbose output.
• The lm N T command lists the specified loaded modules. The output includes the status and the path of the module.

The !drivers extension command displays a list of all drivers that are loaded on the destination computer, together with summary information about their memory use. The !drivers extension is obsolete in Windows XP and later. To display information about loaded drivers and other modules, use the lm command. The lm N T command displays information in a format that is similar to the old !drivers extension.

For help with other commands and for complete command syntax, see the debugging tools Help documentation. The debugging tools Help documentation can be found in the following location:

C:\Program Files\Debugging Tools for Windows\Debugger.chm

If you have symbol-related issues, use the Symchk utility to verify that the correct symbols are loaded correctly. For more information about how to use Symchk, see Debugging with Symbols.

Simplify the commands by using a batch file

After you identify the command that you must have to load memory dumps, you can create a batch file to examine a dump file. For example, create a batch file and name it Dump.bat. Save it in the folder where the debugging tools are installed. Type the following text in the batch file:

When you want to examine a dump file, type the following command to pass the dump file path to the batch file:

Overview of memory dump file options for Windows

This article describes memory dump file options for Windows.

Original product version: В Windows 7 Service Pack 1, Windows Server 2012 R2
Original KB number: В 254649

Summary

You can configure the following operating systems to write debugging information:

• Windows 7
• Windows Server 2012 R2

The debugging information can be written to different file formats (also known as memory dump files) when your computer stops unexpectedly because of a Stop error (also known as a blue screen, system crash, or bug check). You can also configure Windows not to write debugging information to a memory dump file.

Windows can generate any one of the following memory dump file types:

• Complete memory dump
• Kernel memory dump
• Small memory dump (64 KB)
• Automatic memory dump

Complete memory dump

A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected.

If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB).

If the following conditions are true, the previous file is overwritten.

• A second problem occurs.
• Another complete memory dump (or kernel memory dump) file is created.

• In Windows 7, the paging file can be on a partition that differs from the partition on which the operating system is installed.
• In Windows 7, you do not have to use the DedicatedDumpFile registry entry to put a paging file onto another partition.
• The Complete memory dump option is not available on computers that are running a 32-bit operating system and that have 2 gigabytes (GB) or more of RAM. For more information, see Specify what happens when the system stops unexpectedly.

Kernel memory dump

A kernel memory dump records only the kernel memory. It speeds up the process of recording information in a log when your computer stops unexpectedly. You must have a pagefile large enough to accommodate your kernel memory. For 32-bit systems, kernel memory is usually between 150 MB and 2 GB.

This dump file doesn’t include unallocated memory or any memory that’s allocated to User-mode programs. It includes:

• Memory that’s allocated to the kernel and hardware abstraction layer (HAL) in Windows 2000 and later.
• Memory that’s allocated to Kernel-mode drivers and other Kernel-mode programs.

For most purposes, this dump file is the most useful. It’s smaller than the complete memory dump file. But it omits only those parts of memory that are unlikely to have been involved in the problem.

If the following conditions are true, the previous file is overwritten when the Overwrite any existing file setting is checked.

• A second problem occurs.
• Another kernel memory dump file (or a complete memory dump file) is created.

Small memory dump

A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 and later create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.

This dump file type includes the following information:

• The Stop message and its parameters and other data
• A list of loaded drivers
• The processor context (PRCB) for the processor that stopped
• The process information and kernel context (EPROCESS) for the process that stopped
• The process information and kernel context (ETHREAD) for the thread that stopped
• The Kernel-mode call stack for the thread that stopped

This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

If the following conditions are true, the previous file is preserved.

• A second problem occurs.
• A second small memory dump file is created.

Each additional file is given a distinct name. The date is encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder.

Configure the dump type

To configure startup and recovery options (including the dump type), follow these steps.

Because there are several versions of Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then click System.
3. On the Advanced tab, click Settings under Startup and Recovery.

You must restart Windows in order for your changes to take effect.

Tools for the various dump types

You can load complete memory dumps and kernel memory dumps with standard symbolic debuggers, such as I386kd.exe. I386kd.exe is included with the Windows 2000 Support CD-ROM.

Load small memory dumps by using Dumpchk.exe. You can also use Dumpchk.exe to verify that a memory dump file has been created correctly.

Volume definitions

Boot volume: The volume that contains the Windows operating system and its support files. The boot volume can be, but doesn’t have to be, the same as the system volume.

System volume: The volume that contains the hardware-specific files that you must have to load Windows. The system volume can be, but doesn’t have to be, the same as the boot volume. The Boot.ini, Ntdetect.com , and Ntbootdd.sys files are examples of files that are located on the system volume.

Registry values for startup and recovery

The following registry value is used under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl .

• CrashDumpEnabled REG_DWORD 0x0 = None
• CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump
• CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump
• CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64 KB)
• CrashDumpEnabled REG_DWORD 0x7 = Automatic memory dump

Additional registry values for CrashControl:

AutoReboot REG_DWORD 0x1

DumpFile REG_EXPAND_SZ %SystemRoot%\Memory.dmp

LogEvent REG_DWORD 0x1

MinidumpDir REG_EXPAND_SZ %SystemRoot%\Minidump

Overwrite REG_DWORD 0x1

SendAlert REG_DWORD 0x1

You must restart Windows in order for your changes to take effect.

Test to make sure that a dump file can be created

For more information about how to configure your computer to generate a dump file for testing purposes, see Windows feature lets you generate a memory dump file by using the keyboard.

Default dump type options

• Windows 7 (All Editions): Kernel memory dump
• Windows Server 2012 R2 (All Editions): Automatic memory.dmp

Maximum paging file size

Maximum paging file size is limited as follows:

Limit	x86	x64	IA-64
Maximum size of a paging file	4 gigabytes (non-PAE) 16 terabytes (PAE)	16 terabytes	32 terabytes
Maximum number of paging files	16	16	16
Total paging file size	64 gigabytes (non-PAE) 256 terabytes (PAE)	256 terabytes	512 terabytes

Technical support for x64-based versions of Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.