It depends on the type of dump. A complete dump has all physical
memory, there is no notion of in-use or not. A kernel-only memory dump
will only save physical memory considered in-use by the kernel, which is
why the size varies.
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Sunday, September 24, 2006 9:53 AM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Converting pagefile.sys to memory.dmp?
Drew,
Interesting…
Could it be that the dmp file generated would only represent the memory
in use?
On Fri, 22 Sep 2006 18:01:21 -0700, Drew Bliss wrote
There are three kernel dump options.
A complete dump has to be at least the size of physical memory to be
valid.
A kernel-only memory dump varies in size according to kernel memory
usage.
A small dump is 256KB or less.
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jimosr
Sent: Friday, September 22, 2006 3:32 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Converting pagefile.sys to memory.dmp?
I’ll asume you mean “Complete memeory dump”.
I have these on in the shop, and so far the largest I’ve seen is about
200M on boxes with 512M.
The bad new is because of paging, things will still not be in there
that you might want to see.
That is even if not truncated, you will still get errors about miss
items, because they were paged out at the time of the dump.
On Fri, 22 Sep 2006 13:43:01 -0700, Drew Bliss wrote
> When the system boots after a crash the page file contains the dump.
That’s detected when page files are getting set up during boot and the
page file content gets preserved. If you’re recovering that saved page
file then it should be a valid dump. In that case a truncation warning
from the debugger means that the file really is smaller than it should
be. That my be because your page file was too small in the first place
and the dump didn’t fit.
>
> Is this a full kernel dump? If so it should be the size of physical
memory plus a bit, so if the file size is equal to or smaller than
physical memory it really is truncated. What is the setting for the
size of the page file? How much physical memory is there?
>
>
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
> Sent: Friday, September 22, 2006 11:14 AM
> To: Kernel Debugging Interest List
> Subject: [windbg] Converting pagefile.sys to memory.dmp?
>
>
> I’m looking at a crash that happens so early in the boot that it
doesn’t even get to the point where it calls SaveDump to generate the
memory.dmp file.
> However, WinDbg does an acceptable job of being able to read the
pagefile.sys as a memory.dmp file. But there’s some oddities that I
don’t know if they’re due to it not being a “true” memory.dmp or because
of the nature of the crash.
> It starts by reporting:
> WARNING: Dump file has been truncated. Data may be missing.
> So, it does realize something is different about the dump.
> But then later I can’t look at certain memory areas, but that might
be the nature of the crash.
> So, is there a way to manually invoke SaveDump on another machine
(where I have the crashed hard drive mounted as a secondary disk) to
convert the file? Or is there some other way to do the same thing?
> Or is WinDbg really supporting the pagefile.sys as a memory dump and
that’s really just a spurious warning that I shouldn’t be concerned
with?
> —
> You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
> —
> You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
Jim Donelson
You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to windbg as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Jim Donelson
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
