/o
Overwrites an existing dump file with the same name. If this option is not used and there is a file with the same file name, the dump file is not written.

/u
Append unique identifier to dump name.

/f[FullOptions]
(Kernel mode:) Creates a complete memory dump.

(User mode:) Creates a full user-mode dump. For more information, see Varieties of User-Mode Dump Files. Despite their names, the largest minidump file actually contains more information than a full user-mode dump. For example, .dump /mf or .dump /ma creates a larger and more complete file than .dump /f. In user mode, .dump /m[MiniOptions] is always preferable to .dump /f.

You can add the following FullOptions to change the contents of the dump file; the option is case-sensitive.

/m[MiniOptions]
Creates a small memory dump (in kernel mode) or a minidump (in user mode) For more information, see User-Mode Dump Files. If neither /f nor /m is specified, /m is the default.

In user mode, /m can be followed with additional MiniOptions specifying extra data that is to be included in the dump. If no MiniOptions are included, the dump will include module, thread, and stack information, but no additional data. You can add any of the following MiniOptions to change the contents of the dump file; they are case-sensitive.

Kernel Mode Options

The following options are available in kernel mode.

/k
Create a dump with kernel memory only.

/ka
Create a dump with active kernel and user mode memory.

Additional Information

For a description of kernel-mode dump files and an explanation of their use, see Kernel-Mode Dump Files. For a description of user-mode dump files and an explanation of their use, see User-Mode Dump Files.

Remarks

This command can be used in a variety of situations:

During live user-mode debugging, this command directs the target application to generate a dump file, but the target application does not terminate.

During live kernel-mode debugging, this command directs the target computer to generate a dump file, but the target computer does not crash.

During crash dump debugging, this command creates a new crash dump file from the old one. This is useful if you have a large crash dump file and want to create a smaller one.

You can control what type of dump file will be produced:

In kernel mode, to produce a complete memory dump, use the /f option. To produce a small memory dump, use the /m option (or no options). The .dump command cannot produce a kernel memory dump.

In user mode, .dump /m[MiniOptions] is the best choice. Although «m» stands for «minidump», the dump files created by using this MiniOption can vary in size from very small to very large. By specifying the proper MiniOptions you can control exactly what information is included. For example, .dump /ma produces a dump with a great deal of information. The older command, .dump /f, produces a moderately large «standard dump» file and cannot be customized.

You cannot specify which process is dumped. All running processes will be dumped.

The /xc, /xr, /xp, and /xt options are used to store exception and context information in the dump file. This allows the .ecxr (Display Exception Context Record) command to be run on this dump file.

The following example will create a user-mode minidump, containing full memory and handle information:

Handle information can be read by using the !handle extension command.

Varieties of Kernel-Mode Dump Files

There are five settings for kernel-mode crash dump files:

The difference between these dump files is one of size. The Complete Memory Dump is the largest and contains the most information, including some User-Mode memory. The Active Memory Dump is somewhat smaller but contains similar information for most purposes. The Kernel Memory Dump is smaller still and typically omits User-Mode memory, and the Small Memory Dump is only 64 KB in size.

If you select Automatic Memory Dump, the dump file is the same as a Kernel Memory Dump, but Windows has more flexibility in setting the size of the system paging file.

The advantage to the larger files is that, since they contain more information, they are more likely to help you find the cause of the crash.

The advantage of the smaller files is that they are smaller and written more quickly. Speed is often valuable; if you are running a server, you may want the server to reboot as quickly as possible after a crash, and the reboot will not take place until the dump file has been written.

After a Complete Memory Dump or Kernel Memory Dump has been created, it is possible to create a Small Memory Dump file from the larger dump file. See the .dump (Create Dump File) command for details.

NoteВ В Much information can be obtained by analyzing a kernel-mode dump file. However, no kernel-mode dump file can provide as much information as actually debugging the crash directly with a kernel debugger.

Analyzing a Kernel-Mode Dump File with WinDbg

Kernel-mode memory dump files can be analyzed by WinDbg. The processor or Windows version that the dump file was created on does not need to match the platform on which KD is being run.

Starting WinDbg

To analyze a dump file, start WinDbg with the -z command-line option:

windbg -y SymbolPath -i ImagePath -z DumpFileName

The -v option (verbose mode) is also useful. For a full list of options, see WinDbg Command-Line Options.

If WinDbg is already running and is in dormant mode, you can open a crash dump by selecting the File | Open Crash Dump menu command or pressing the CTRL+D shortcut key. When the Open Crash Dump dialog box appears, enter the full path and name of the crash dump file in the File name text box, or use the dialog box to select the proper path and file name. When the proper file has been chosen, select Open.

You can also open a dump file after the debugger is running by using the .opendump (Open Dump File) command, followed with g (Go).

It is possible to debug multiple dump files at the same time. This can be done by including multiple -z switches on the command line (each followed by a different file name), or by using .opendump to add additional dump files as debugger targets. For information about how to control a multiple-target session, see Debugging Multiple Targets.

Dump files generally end with the extension .dmp or .mdmp. You can use network shares or Universal Naming Convention (UNC) file names for the memory dump file.

It is also common for dump files to be packed into a CAB file. If you specify the file name (including the .cab extension) after the -z option or as the argument to an .opendump command, the debugger can read the dump files directly out of the CAB. However, if there are multiple dump files stored in a single CAB, the debugger will only be able to read one of them. The debugger will not read any additional files from the CAB, even if they were symbol files or other files associated with the dump file.

Analyzing the Dump File

If you are analyzing a Kernel Memory Dump or a Small Memory Dump, you may need to set the executable image path to point to any executable files that may have been loaded in memory at the time of the crash.

Analysis of a dump file is similar to analysis of a live debugging session. See the Debugger Commands reference section for details on which commands are available for debugging dump files in kernel mode.

In most cases, you should begin by using !analyze. This extension command performs automatic analysis of the dump file and can often result in a lot of useful information.

The .bugcheck (Display Bug Check Data) shows the bug check code and its parameters. Look up this bug check in the Bug Check Code Reference for information about the specific error.

The following debugger extensions are especially useful for analyzing a kernel-mode crash dump:

For techniques that can be used to read specific kinds of information from a dump file, see Extracting Information from a Dump File.

Создание ядра или полного аварийного дампа Generate a kernel or complete crash dump

Сбой системы (также известный как «проверка ошибки» или «Остановка ошибки») происходит, когда Windows не может работать правильно. A system crash (also known as a “bug check” or a «Stop error») occurs when Windows can’t run correctly. Файл сброса, который производится из этого события, называется сбросом сбоя системы. The dump file that is produced from this event is called a system crash dump.

Ручной файл сброса ядра или полного файла памяти полезен при устранении нескольких проблем, так как процесс записи системной памяти во время сбоя. A manual kernel or complete memory dump file is useful when you troubleshoot several issues because the process captures a record of system memory at the time of a crash.

Настройка файлов страниц Set up page files

См. поддержку свалок сбоя системы для требования к размеру файла страницы для сбоя системы. See Support for system crash dumps for the page file size requirement for system crash dump.

Включить параметр сброса памяти Enable memory dump setting

Для выполнения этой процедуры необходимо войти в систему в качестве администратора или члена группы администраторов. You must be logged on as an administrator or a member of the Administrators group to complete this procedure. Если компьютер подключен к сети, параметры сетевой политики могут помешать вам завершить эту процедуру. If your computer is connected to a network, network policy settings may prevent you from completing this procedure.

Чтобы включить параметр сброса памяти, выполните следующие действия: To enable memory dump setting, follow these steps:

В панели управлениявыберите систему и систему > безопасности. In Control Panel, select System and Security > System.

Выберите параметры расширенных систем, а затем выберите вкладку Advanced. Select Advanced system settings, and then select the Advanced tab.

В области запуска и восстановления выберите Параметры. In the Startup and Recovery area, select Settings.

Убедитесь, что сброс памяти ядра или полная свалка памяти выбраны в статье Writing Debugging Information. Make sure that Kernel memory dump or Complete memory dump is selected under Writing Debugging Information.

Перезагрузите компьютер. Restart the computer.

Вы можете изменить путь файла сброса, редактировать поле файла Dump. You can change the dump file path by edit the Dump file field. Другими словами, можно изменить путь с %SystemRoot%\Memory.dmp на локальный диск с достаточным диском, например E:\Memory.dmp. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp.

Советы по генерации свалок памяти Tips to generate memory dumps

При сбое и перезапуске компьютера содержимое физической оперативной памяти передается в файл paging, расположенный на разделе, на котором установлена операционная система. When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed.

В зависимости от скорости жесткого диска, на котором установлена Windows, сброс более 2 гигабайт (ГБ) памяти может занять длительное время. Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes (GB) of memory may take a long time. Даже в лучшем случае, если файл сброса настроен для проживания на другом локальном жестком диске, значительное количество данных будет прочитано и записано на жесткие диски. Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. Это может привести к длительному отключению сервера. This can cause a prolonged server outage.

Используйте этот метод для создания полных файлов сброса памяти с осторожностью. Use this method to generate complete memory dump files with caution. В идеале это следует делать только при явном запросе инженера службы поддержки Майкрософт. Ideally, you should do this only when you are explicitly requested to by the Microsoft Support engineer. Отладка файлов сброса ядра или полного файла памяти должна быть последней инстанцией после полного исчерпания всех стандартных методов устранения неполадок. Any kernel or complete memory dump file debugging should be the last resort after all standard troubleshooting methods have been completely exhausted.

Вручную создать файл сброса памяти Manually generate a memory dump file

Использование средства NotMyFault Use the NotMyFault tool

Если во время проблемы можно войти в систему, можно использовать средство Microsoft Sysinternals NotMyFault. If you can log on while the problem is occurring, you can use the Microsoft Sysinternals NotMyFault tool. Для этого выполните следующие действия: To do this, follow these steps:

Выберите Начните, а затем выберите командную подсказку. Select Start, and then select Command Prompt.

В командной строке запустите следующую команду: At the command line, run the following command:

Эта операция создает файл сброса памяти и ошибку остановки D1. This operation generates a memory dump file and a D1 Stop error.

Использование NMI Use NMI

На некоторых компьютерах нельзя использовать клавиатуру для создания файла аварийного сброса. On some computers, you cannot use keyboard to generate a crash dump file. Например, Hewlett-Packard (HP) BladeSystem из компании Hewlett-Packard разработки управляются с помощью графического пользовательского интерфейса (GUI) на основе браузера. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). Клавиатура не присоединена к серверу HP BladeSystem. A keyboard is not attached to the HP BladeSystem server.

В этих случаях необходимо создать полный файл аварийного сбоя или файл аварийного сброса ядра с помощью переключателя NMI, который вызывает NMI на системном процессоре. In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor.

Для этого выполните следующие действия: To do this, follow these steps:

Внимательно следуйте шагам в этом разделе. Follow the steps in this section carefully. Неправильное изменение реестра может привести к серьезным проблемам. Serious problems might occur if you modify the registry incorrectly. Перед его изменением необходимо создать реестр для восстановления в случае возникновения проблем. Before you modify it, back up the registry for restoration in case problems occur.

В редакторе реестра найдите следующий подкай реестра: In Registry Editor, locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

Правой кнопкой мыши CrashControl, указать на Новый, а затем нажмите значение DWORD. Right-click CrashControl, point to New, and then click DWORD Value.

Введите NMICrashDump и нажмите кнопку Ввод. Type NMICrashDump, and then press Enter.

Щелкните правой кнопкой мыши NMICrashDumpи выберите Изменение. Right-click NMICrashDump, and then select Modify.

В поле Значение данных введите 1, а затем выберите ОК. In the Value data box, type 1, and then select OK.

Перезагрузите компьютер. Restart the computer.

Поставщики оборудования, такие как HP, IBM и Dell, могут предоставить функцию автоматического восстановления системы (ASR). Hardware vendors, such as HP, IBM, and Dell, may provide an Automatic System Recovery (ASR) feature. Эту функцию следует отключить во время устранения неполадок. You should disable this feature during troubleshooting. Например, если функция ASR HP и Compaq включена в BIOS, отключим эту функцию во время устранения неполадок, чтобы создать полный файл Memory.dmp. For example, if the HP and Compaq ASR feature is enabled in the BIOS, disable this feature while you troubleshoot to generate a complete Memory.dmp file. Для точных действий обратитесь к поставщику оборудования. For the exact steps, contact your hardware vendor.

Включите переключатель NMI в BIOS или с помощью веб-интерфейса Integrated Lights Out (iLO). Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface.

Точные действия см. в справочном руководстве BIOS или обратитесь к поставщику оборудования. For the exact steps, see the BIOS reference manual or contact your hardware vendor.

Протестировать этот метод на сервере с помощью коммутатора NMI для создания файла сброса. Test this method on the server by using the NMI switch to generate a dump file. Вы увидите неисправность 0x00000080 stop. You will see a STOP 0x00000080 hardware malfunction.

Если вы хотите запустить NMI в Microsoft Azure с помощью серийной консоли, см. в рубрике Использование последовательной консоли для вызовов SysRq и NMI. If you want to run NMI in Microsoft Azure using Serial Console, see Use Serial Console for SysRq and NMI calls.