Windows 2003 crash dump file

The dump file that is produced from this event is called a system crash dump. A manual kernel or complete memory dump file is useful when you troubleshoot several issues because the process captures a record of system memory at the time of a crash.

See Support for system crash dumps for the page file size requirement for system crash dump. You must be logged on as an administrator or a member of the Administrators group to complete this procedure.

If your computer is connected to a network, network policy settings may prevent you from completing this procedure. Select Advanced system settings , and then select the Advanced tab. Make sure that Kernel memory dump or Complete memory dump is selected under Writing Debugging Information. You can change the dump file path by edit the Dump file field.

When the computer crashes and restarts, the contents of physical RAM are written to the paging file that is located on the partition on which the operating system is installed. Depending on the speed of the hard disk on which Windows is installed, dumping more than 2 gigabytes GB of memory may take a long time.

Even in a best case scenario, if the dump file is configured to reside on another local hard drive, a significant amount of data will be read and written to the hard disks. This can cause a prolonged server outage. But for the sake of discussion we'll disregard those possibilities as well.

That function freed pool memory, which is in kernel space. I'm not positive that it freed the memory that was later referenced that caused the machine to crash, but I'm highly suspicious of it. It is typically drivers that allocate and deallocate pool memory. The people who write drivers have to be extremely careful about allocating and deallocating memory, because if you don't do it perfectly , you either cause a memory leak or you crash the machine.

If you look here , you'll see the parameters of your bug check code:. Windbg identified sptd. I'm guessing Windbg figured that sptd. But I could be wrong about that. I'm not sure how Windbg derives that information. The information is not guaranteed to be accurate in any case, but stpd.

Edit: Looks like you can find updated versions of sptd. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams?

Learn more. Asked 8 years, 9 months ago. By default, all Windows systems are configured to attempt to record information about the state of the system when the system crashes. You can see these settings by opening the System tool in Control Panel, and then in the System Properties dialog box, click the Advanced tab and then click the Startup And Recovery button.

Figure Crash dump settings. Complete memory dump A complete memory dump contains all of physical memory at the time of the crash. This type of dump requires that a page file be at least the size of physical memory plus 1 MB for a header. Because it can require an inordinately large page file on large memory systems, this type of dump file is the least common setting.

Windows NT 4 supported only this type of crash dump file. This is the default setting for Windows Server systems. This type of dump doesn't contain pages belonging to user processes.

Because only kernel-mode code can directly cause Windows to crash, however, it's unlikely that user process pages are necessary to debug a crash. In addition, all data structures relevant for crash dump analysis including the list of running processes, stack of the current thread, and list of loaded drivers are stored in nonpaged memory that saves in a kernel memory dump. There is no way to predict the size of a kernel memory dump because its size depends on the amount of kernel-mode memory allocated by the operating system and drivers present on the machine.

Small memory dump A small memory dump the default on Windows Professional , which is 64 KB in size KB on bit systems and is also called a minidump or triage dump , contains the stop code and parameters, the list of loaded device drivers, the data structures that describe the current process and thread called the EPROCESS and ETHREAD described in Chapter 6 , and the kernel stack for the thread that caused the crash.

While a complete memory dump is a superset of the other options, it has the drawback that its size tracks the amount of physical memory on a system and can therefore become unwieldy. It's not unusual for large server systems to have several gigabytes of memory, resulting in crash dump files that are too large to be uploaded to an FTP server or burned onto a CD. Because user mode code and data are not used during the analysis of most crashes because crashes originate as a result of problems in kernel memory, and system data structures reside in kernel memory much of the data stored in a complete memory dump is not relevant to analysis and therefore contributes wastefully to the size of a dump file.

On systems with more RAM, it is reasonable to expect that the dump file will be larger. There is no way to predict the exact size of a kernel memory dump.

When you configure kernel memory dumps the system checks to see if the page file is large enough. There are some guidelines for the minimum page file size needed for kernel memory dumps, however given that the size of kernel mode memory will vary, there is no accurate measure for the maximum.

The default minimum page file sizes for kernel dumps are shown below:. If you are concerned about setting the maximum page file size too low to be able to capture a kernel dump, the only way to get a better estimate would be to force a manual crash using the CrashOnCtrlScroll method described in Microsoft KB Article Once the system has rebooted, check to see if a kernel dump was generated and check the size. This is because the maximum kernel-mode address space available on bit systems is 2GB.

In addition to correctly sizing the page file, you also need to ensure that you have sufficient free disk space for the actual dump file itself to be written. Unlike the page file used to capture the dump, the dump file itself can be written to a different local volume by changing the location in the Dump File field. If there is a need to maintain multiple dumps of an issue, then you should uncheck the "Overwrite any existing file" box as well.

However, please remember that this may put a strain on free disk space over time. Let's take a quick moment and talk about how the dump files themselves are generated. All of the settings available in the GUI can be modified via the registry as shown below:. A quick tangent here - if you have a system with more than 2GB of RAM, the option for a complete memory dump is not available in the GUI drop down as you can see from this image.