Investigating a memory leak we have to get a full memory dump under certain conditions. Setting the Windows pagefile is descriped in the post „Set Windows pagefile size“.
Dump File
- Relocate; configuration, test
- Registry (PS)
- CIM/WMI (PS)
There are six differet levels of Windows debugging information, which can be viwed and set in Windows System Properties:
(Windows System Properties > Advanced > Startup and Recovery)
Windows Registry
The current path to the Windows dump file is in the Registry. This can be viewed and changed in Registry Editor (RegEdit):
(Registry Editor: Windows Dump File path)
The path to the registry keys is:HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\.
Get and Set
Get the Dump File with path:
$DumpFile = (Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl -Name DumpFile).DumpFile
The result is a simple string (System.String) with the default value „%SystemRoot%\MEMORY.DMP“.
Set the Dump File by a string with the complete value
[string]$DumpfileName = 'F:\MEMORY.DMP'
Set-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl -Name DumpFile -Value $DumpfileName
The new value will be effective with the next boot of the computer (host).
Generate dump
Get SysInternals NotMyFault.exe and start a console as administrator. Run notmyfault64.exe
... and click "Crash". This will create a "Blue Screen Of Death" (BSOD)
The collection will take several minutes.
When Windows start again and you log on there is a message from the Shutdown Event Tracker
It has no technical consequense so you can just click "Cansel".
The dump file is placed on the custom location given above. To analyze the dump file you should move it to a workstation with tools like WinDBG.
Reference
Microsoft: Overview of memory dump file options for Windows
SevenForums.com: Dump File – Change Default Location
Posts
