Here is some info on memory dumps.
----------------------------------------------------------------------------------------
Windows 2000 Memory Dump Options Overview
Article ID: Q254649
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
--------------------------------------------------------------------------------
SUMMARY
You can configure Windows 2000 to generate any one of the following three dump file types:
Complete Memory Dump
A complete memory dump records the entire contents of system memory when the system stops unexpectedly. If you choose this option, you must have a paging file on the boot volume large enough to hold all of the physical RAM plus one megabyte (MB). The complete memory dump file is written to the %SystemRoot%\Memory.dmp file by default.
If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten. NOTE: The complete memory dump is limited to 2GB.
Kernel Memory Dump
A kernel memory dump records only the kernel memory, which speeds up the process of recording information in a log when the system stops unexpectedly. Depending on the amount of RAM in your computer, you must have from 50 MB to 800 MB available for the paging file, or one-third the size of the physical memory on the system available on the boot volume.
This dump file does not include unallocated memory or any memory allocated to User-mode programs. It includes only memory allocated to the Windows 2000 kernel and hardware abstraction level (HAL), as well as memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this crash dump is the most useful. It is significantly smaller than the complete memory dump, but it omits only those portions of memory that are unlikely to have been involved in the problem. The kernel memory dump file is written to the %SystemRoot%\Memory.dmp file by default.
If a second problem occurs and another kernel memory dump (or complete memory dump) file is created, the previous file is overwritten.
Small Memory Dump
A small memory dump records the smallest set of useful information that may help identify why the system stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 create a new file each time the system stops unexpectedly. A history of these files is stored in a folder.
This dump file type includes the following information:
The stop message and parameters, as well as other data
A list of loaded drivers
The processor context (PRCB) for the processor that stopped
The process information and kernel context (EPROCESS) for the process that stopped
The process information and kernel context (ETHREAD) for the thread that stopped
The Kernel-mode call stack for the thread that stopped
This kind of dump file can be useful when space is limited. However, because of the limited amount of information included, errors that were not directly caused by the thread running at the time of the problem may not be discovered by an analysis of this file.
If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name, which contains the date encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder.
Configuring the Dump Type
To configure startup and recovery options (including the dump type):
Click Start, point to Settings, and then click Control Panel.
Double-click System.
On the Advanced tab, click Startup and Recovery.
Tools for the Various Dump Types
You can load complete and kernel memory dumps with standard symbolic debuggers (such as I386kd.exe included with the Windows 2000 Support CD-ROM).
Load small memory dumps by using Dumpchk.exe, which is included with the Windows 2000 Support CD-ROM. Additional information is available in the Windows 2000 Debugging Tools documentation at the following Microsoft Web site:
http://www.microsoft.com/ddk/ddkdocs/Win2KDB/ The latest version of the Windows 2000 Debugging tools is available at the following Microsoft Web site:
http://www.microsoft.com/ddk/debugging/default.asp Definitions
Boot Volume: The volume that contains the Windows 2000 operating system and its support files. The boot volume can be, but does not have to be, the same as the system volume.
System Volume: The volume that contains the hardware-specific files needed to load Windows 2000. The system volume can be, but does not have to be, the same as the boot volume. The Boot.ini, Ntdetect.com, and Ntbootdd.sys files are examples of files that are located on the system volume.
Registry Values for Startup and Recovery
The following registry value is used:
HKLM\CurrentControlSet\Control\CrashControl
AutoReboot REG_DWORD 0x1
DumpFile REG_EXPAND_SZ %SystemRoot%\Memory.dmp
LogEvent REG_DWORD 0x1
MinidumpDir REG_EXPAND_SZ %SystemRoot%\Minidump
Overwrite REG_DWORD 0x1
SendAlert REG_DWORD 0x1
Testing to Ensure That a Dump File Can Be Created
For information about this test, see the following article in the Microsoft Knowledge Base:
Q244139 Windows 2000 Feature Allows a Memory.dmp File to Be Generated
Default Dump Type Options
Windows 2000 Professional: Small dump (64 KB)
Windows 2000 Server: Complete dump
Windows 2000 Advanced Server: Complete dump
-------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------
How to Use Dumpchk.exe to Check a Memory Dump File (Q156280)
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows NT Workstation versions 3.5 , 3.51 , 4.0
Microsoft Windows NT Server versions 3.5 , 3.51 , 4.0
Microsoft Windows 2000 , Professional
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
--------------------------------------------------------------------------------
SUMMARY
Dumpchk is a command-line utility you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols. Dumpchk is located in the following locations:
Windows NT 4.0 CD-ROM:
Support\Debug\ \Dumpchk.exe
Windows 2000 and later CD-ROM:
Install the Support Tools by running Setup.exe from the Support\Tools folder on the CD-ROM. By default, Dumpchk.exe is installed to the Program Files\Support Tools folder.
MORE INFORMATION
Dumpchk has the following command-line switches:
DUMPCHK [options]
-? Display the command syntax.
-p Prints the header only (with no validation).
-v Specifies verbose mode.
-q Performs a quick test. Not available in the Windows 2000 or Windows XP version.
Additional switches that are only available in Windows 2000 and Windows XP Dumpchk.exe version:
-c Do dump validation.
-x Extra file validation. Takes several minutes.
-e Do dump exam.
-y
Set the symbol search path for dump exam.
If the symbol search path is empty, the CD-ROM
is used for symbols.
-b
Set the image search path for dump exam.
If the symbol search path is empty, \system32
is used for symbols.
-k Set the name of the kernel to File.
-h Set the name of the hal to File.
Dumpchk displays some basic information from the memory dump file, then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, Dumpchk reports them. The following is an example of the output of a Dumpchk command:
This information can be used to determine what Kernel STOP Error occurred and, to a certain extent, what version of Windows NT was in use.
The information in this article is from the Windows NT Resource Kit. For more information on Dumpchk.exe and other debugging utilities, see Appendix A in the Windows NT 3.51 Resource Kit Update and Update 2.
For additional information, please see the following article in the Microsoft Knowledge Base:
Article-ID: Q119490
TITLE : Checking Crashdump File for Corruption
Karell
2 Intern
•
2.5K Posts
0
December 13th, 2001 14:00
Thank you for using the DellTalk forum.
Here is some info on memory dumps.
----------------------------------------------------------------------------------------
Windows 2000 Memory Dump Options Overview
Article ID: Q254649
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
--------------------------------------------------------------------------------
SUMMARY
You can configure Windows 2000 to generate any one of the following three dump file types:
Complete memory dump
Kernel memory dump
Small memory dump (64 KB)
MORE INFORMATION
Complete Memory Dump
A complete memory dump records the entire contents of system memory when the system stops unexpectedly. If you choose this option, you must have a paging file on the boot volume large enough to hold all of the physical RAM plus one megabyte (MB). The complete memory dump file is written to the %SystemRoot%\Memory.dmp file by default.
If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten. NOTE: The complete memory dump is limited to 2GB.
Kernel Memory Dump
A kernel memory dump records only the kernel memory, which speeds up the process of recording information in a log when the system stops unexpectedly. Depending on the amount of RAM in your computer, you must have from 50 MB to 800 MB available for the paging file, or one-third the size of the physical memory on the system available on the boot volume.
This dump file does not include unallocated memory or any memory allocated to User-mode programs. It includes only memory allocated to the Windows 2000 kernel and hardware abstraction level (HAL), as well as memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this crash dump is the most useful. It is significantly smaller than the complete memory dump, but it omits only those portions of memory that are unlikely to have been involved in the problem. The kernel memory dump file is written to the %SystemRoot%\Memory.dmp file by default.
If a second problem occurs and another kernel memory dump (or complete memory dump) file is created, the previous file is overwritten.
Small Memory Dump
A small memory dump records the smallest set of useful information that may help identify why the system stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 create a new file each time the system stops unexpectedly. A history of these files is stored in a folder.
This dump file type includes the following information:
The stop message and parameters, as well as other data
A list of loaded drivers
The processor context (PRCB) for the processor that stopped
The process information and kernel context (EPROCESS) for the process that stopped
The process information and kernel context (ETHREAD) for the thread that stopped
The Kernel-mode call stack for the thread that stopped
This kind of dump file can be useful when space is limited. However, because of the limited amount of information included, errors that were not directly caused by the thread running at the time of the problem may not be discovered by an analysis of this file.
If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name, which contains the date encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder.
Configuring the Dump Type
To configure startup and recovery options (including the dump type):
Click Start, point to Settings, and then click Control Panel.
Double-click System.
On the Advanced tab, click Startup and Recovery.
Tools for the Various Dump Types
You can load complete and kernel memory dumps with standard symbolic debuggers (such as I386kd.exe included with the Windows 2000 Support CD-ROM).
Load small memory dumps by using Dumpchk.exe, which is included with the Windows 2000 Support CD-ROM. Additional information is available in the Windows 2000 Debugging Tools documentation at the following Microsoft Web site:
http://www.microsoft.com/ddk/ddkdocs/Win2KDB/
The latest version of the Windows 2000 Debugging tools is available at the following Microsoft Web site:
http://www.microsoft.com/ddk/debugging/default.asp
Definitions
Boot Volume: The volume that contains the Windows 2000 operating system and its support files. The boot volume can be, but does not have to be, the same as the system volume.
System Volume: The volume that contains the hardware-specific files needed to load Windows 2000. The system volume can be, but does not have to be, the same as the boot volume. The Boot.ini, Ntdetect.com, and Ntbootdd.sys files are examples of files that are located on the system volume.
Registry Values for Startup and Recovery
The following registry value is used:
HKLM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled REG_DWORD 0x0 = None
CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump
CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump
CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
Additional registry values for CrashControl:
0x0 = Disabled
0x1 = Enabled
AutoReboot REG_DWORD 0x1
DumpFile REG_EXPAND_SZ %SystemRoot%\Memory.dmp
LogEvent REG_DWORD 0x1
MinidumpDir REG_EXPAND_SZ %SystemRoot%\Minidump
Overwrite REG_DWORD 0x1
SendAlert REG_DWORD 0x1
Testing to Ensure That a Dump File Can Be Created
For information about this test, see the following article in the Microsoft Knowledge Base:
Q244139 Windows 2000 Feature Allows a Memory.dmp File to Be Generated
Default Dump Type Options
Windows 2000 Professional: Small dump (64 KB)
Windows 2000 Server: Complete dump
Windows 2000 Advanced Server: Complete dump
-------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------
How to Use Dumpchk.exe to Check a Memory Dump File (Q156280)
--------------------------------------------------------------------------------
The information in this article applies to:
Microsoft Windows NT Workstation versions 3.5 , 3.51 , 4.0
Microsoft Windows NT Server versions 3.5 , 3.51 , 4.0
Microsoft Windows 2000 , Professional
Microsoft Windows 2000 , Server
Microsoft Windows 2000 , Advanced Server
Microsoft Windows 2000 , Datacenter Server
--------------------------------------------------------------------------------
SUMMARY
Dumpchk is a command-line utility you can use to verify that a memory dump file has been created correctly. Dumpchk does not require access to symbols. Dumpchk is located in the following locations:
Windows NT 4.0 CD-ROM:
Support\Debug\ \Dumpchk.exe
Windows 2000 and later CD-ROM:
Install the Support Tools by running Setup.exe from the Support\Tools folder on the CD-ROM. By default, Dumpchk.exe is installed to the Program Files\Support Tools folder.
MORE INFORMATION
Dumpchk has the following command-line switches:
DUMPCHK [options]
-? Display the command syntax.
-p Prints the header only (with no validation).
-v Specifies verbose mode.
-q Performs a quick test. Not available in the Windows 2000 or Windows XP version.
Additional switches that are only available in Windows 2000 and Windows XP Dumpchk.exe version:
-c Do dump validation.
-x Extra file validation. Takes several minutes.
-e Do dump exam.
-y
If the symbol search path is empty, the CD-ROM
is used for symbols.
-b
If the symbol search path is empty, \system32
is used for symbols.
-k Set the name of the kernel to File.
-h Set the name of the hal to File.
Dumpchk displays some basic information from the memory dump file, then verifies all the virtual and physical addresses in the file. If any errors are found in the memory dump file, Dumpchk reports them. The following is an example of the output of a Dumpchk command:
Filename . . . . . . .memory.dmp
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .1057
DirectoryTableBase . .0x00030000
PfnDataBase. . . . . .0xffbae000
PsLoadedModuleList . .0x801463d0
PsActiveProcessHead. .0x801462c8
MachineImageType . . .i386
NumberProcessors . . .1
BugCheckCode . . . . .0xc000021a
BugCheckParameter1 . .0xe131d948
BugCheckParameter2 . .0x00000000
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000
ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x80146e1c
NumberOfRuns . . . . .0x3
NumberOfPages. . . . .0x1f5e
Run #1
BasePage . . . . . .0x1
PageCount. . . . . .0x9e
Run #2
BasePage . . . . . .0x100
PageCount. . . . . .0xec0
Run #3
BasePage . . . . . .0x1000
PageCount. . . . . .0x1000
**************
**************--> Validating the integrity of the PsLoadedModuleList
**************
**************
**************--> Performing a complete check (^C to end)
**************
**************
**************--> Validating all physical addresses
**************
**************
**************--> Validating all virtual addresses
**************
**************
**************--> This dump file is good!
**************
If, during any portion of the output displayed above, there is an error, the dump file is corrupted and no analysis can be performed.
In this example, the most important information (from a debugging standpoint) is the following:
MajorVersion . . . . .free system
MinorVersion . . . . .1057
MachineImageType . . .i386
NumberProcessors . . .1
BugCheckCode . . . . .0xc000021a
BugCheckParameter1 . .0xe131d948
BugCheckParameter2 . .0x00000000
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x00000000
This information can be used to determine what Kernel STOP Error occurred and, to a certain extent, what version of Windows NT was in use.
The information in this article is from the Windows NT Resource Kit. For more information on Dumpchk.exe and other debugging utilities, see Appendix A in the Windows NT 3.51 Resource Kit Update and Update 2.
For additional information, please see the following article in the Microsoft Knowledge Base:
Article-ID: Q119490
TITLE : Checking Crashdump File for Corruption