It seems collecting memory dumps on Windows 7 has its own challenges.
First things first – engineers always get the best information from a full memory dump but Windows 7 defaults dump type to Kernel Memory Dump. One of the first things to prepare machines for testing or development is changing the dump type to full memory dump. One can do this change via Control Panel->System and Security->System->Advanced System Settings->Startup and Recovery->Settings->Write Debugging Information->Complete Memory Dump.
In case that option is not available (perhaps because you have more than 2GB of RAM), you can set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled REG_DWORD value to 1. Another elegant way to achieve this on WinXP+ machines is by issuing the following WMI command in an elevated command prompt –
wmic recoveros set DebugInfoType=1
Much of the above is not Windows 7 specific and is in no way radically different from prior iterations of Windows. But let us say you have set the right dump type and you saw the memory dumping completed but you cannot locate the dump file (typically named memory.dmp) on the system. Where did the dump file go ?
While memory contents are dumped to the page file when we see the blue background, the memory contents are written to memory.dmp file after reboot. And depending on if-then-else logic that applies to the machine, the dump file may be deleted right after optionally sending bits to Microsoft. To fix this you will have to set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AlwaysKeepMemoryDump REG_DWORD value to 1. 1
If you see your machine freeze as if it has crashed but you do not see the blue screen, you should check if you have a debugger attached or remote debug settings are turned on but no debugger is attached. What if you find that the machine cannot be broken into or you know remote debug settings were turned off on the machine anyway ? If you have put any drivers under verifier, you may see this behavior. So when you turn off /debug and /bootdebug, you should take care to remove all Driver Verifier settings as well to get the machine to dump correctly.
Now if you are running Windows 7 in VMWare 6.5.x environment, another thing you could see on your screen is a dump time hang that looks like the following –
- 1 2