Forcing pagefile.sys -> memory.dmp

OSR_Community_User · February 9, 2005, 12:06am

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp? In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

OSR_Community_User · February 9, 2005, 12:29am

If you are not getting a memory.dmp file, there isn’t one in the page
file. This can occur when the dump writing process is interrupted for
any reason - for example, if an error occurs.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 12:10 AM
To: ntdev redirect
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 10:26am

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

If you are not getting a memory.dmp file, there isn’t one in the page
file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.misc/browse_thread/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=“memory.dmp”&_done=%2Fgroups%3Fq%3D"memory.dmp"%26num%3D100%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

This can occur when the dump writing process is interrupted for
any reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100 (decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera and took
pictures of the dump process. I even managed to get a picture of it when it
reads “Dumping physical memory to disk: 99”. It completes the operation at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is holy
to programmers everywhere that often the memory.dmp is not produced even
when “dumping physical memory to disk” has completed sucessfully and we get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp seems to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp. Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at 5:30
a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once the
“dumping physical memory to disk” has completed and one then boots into
*another* Windows partition (thus eliminating the corruption of pagefile.sys
because one has specified that the page file be on the same partition as the
OS), can one take the data in pagefile.sys and convert it to memory.dmp?
Clearly, the OS knows how to do it. Is this functionality exposed?

Regards,

Ralph Shnelvar

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 12:10 AM
To: ntdev redirect
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 10:28am

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

If you are not getting a memory.dmp file, there isn’t one in the page
file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.misc/browse_thread/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=“memory.dmp”&_done=%2Fgroups%3Fq%3D"memory.dmp"%26num%3D100%26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

This can occur when the dump writing process is interrupted for
any reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100 (decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera and took
pictures of the dump process. I even managed to get a picture of it when it
reads “Dumping physical memory to disk: 99”. It completes the operation at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is holy
to programmers everywhere that often the memory.dmp is not produced even
when “dumping physical memory to disk” has completed successfully and we get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp seems to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp. Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at 5:30
a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once the
“dumping physical memory to disk” has completed and one then boots into
*another* Windows partition (thus eliminating the corruption of pagefile.sys
because one has specified that the page file be on the same partition as the
OS’s exectuables), can one take the data in pagefile.sys and convert it to
memory.dmp? Clearly, the OS knows how to do it. Is this functionality
exposed?

Regards,

Ralph Shnelvar

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 12:10 AM
To: ntdev redirect
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 10:45am

I think you’ve misunderstood how it works:
Pagefile.sys is only converted to memory.dmp once the system reboots, and
only when that same pagefile.sys is being used. I’m pretty sure that you
could do something like;
Boot from C:
crash due to driverentry crashing.
boot into safe-mdoe on C: [Assuming your driver isn’t loaded in safe-mode,
of course].
look at memory.dmp

–
Mats

xxxxx@lists.osr.com wrote on 02/09/2005 03:29:56 PM:

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

>If you are not getting a memory.dmp file, there isn’t one in the page
>file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.
misc/browse_thread/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=%
22memory.dmp%22&_done=%2Fgroups%3Fq%3D%22memory.dmp%22%26num%3D100%
26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%
26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

>This can occur when the dump writing process is interrupted for
>any reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100
(decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera and
took
pictures of the dump process. I even managed to get a picture of it when
it
reads “Dumping physical memory to disk: 99”. It completes the operation
at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is
holy
to programmers everywhere that often the memory.dmp is not produced even
when “dumping physical memory to disk” has completed sucessfully and we
get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp seems
to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp. Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct
memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at 5:30
a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once the
“dumping physical memory to disk” has completed and one then boots into
*another* Windows partition (thus eliminating the corruption of
pagefile.sys
because one has specified that the page file be on the same partition as
the
OS), can one take the data in pagefile.sys and convert it to memory.dmp?
Clearly, the OS knows how to do it. Is this functionality exposed?

Regards,

Ralph Shnelvar

>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Wednesday, February 09, 2005 12:10 AM
>To: ntdev redirect
>Subject: [ntdev] Forcing pagefile.sys -> memory.dmp
>
>I watch as memory is written out due to a crash during a BSOD.
>
>I then boot into another partition so that I can delete the offending
>driver
>and then reboot into the same partition that caused the crash dump to be
>written to pagefile.sys.
>
>Roughly 30% of the time no memory.dmp is created/overwritten.
>
>Yes, I’m requesting a full dump upon a crash.
>
>
>Does anyone on this list know how to convert pagefile.sys to memory.dmp?
>In
>the alternative, how can I guarantee that a memory.dmp is created?
>
>Or is memory.dmp nothing more than a renamed pagefile.sys?
>
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT0000C7C6

OSR_Community_User · February 9, 2005, 11:00am

Or use the recovery console to delete the offending driver. The scenario he
outlines is exactly what should happen: the first time he manages to boot
from C: without crashing the dump is extracted from pagefile.sys on C: and
written to memory.dmp. End of story.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mats PETERSSON
Sent: Wednesday, February 09, 2005 10:44 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Forcing pagefile.sys -> memory.dmp

I think you’ve misunderstood how it works:
Pagefile.sys is only converted to memory.dmp once the system reboots, and
only when that same pagefile.sys is being used. I’m pretty sure that you
could do something like; Boot from C:
crash due to driverentry crashing.
boot into safe-mdoe on C: [Assuming your driver isn’t loaded in safe-mode,
of course].
look at memory.dmp

–
Mats

xxxxx@lists.osr.com wrote on 02/09/2005 03:29:56 PM:

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

>If you are not getting a memory.dmp file, there isn’t one in the page
>file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.
misc/browse_thread/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=%
22memory.dmp%22&_done=%2Fgroups%3Fq%3D%22memory.dmp%22%26num%3D100%
26hl%3Den%26lr%3D%26sa%3DN%26tab%3Dwg%
26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

>This can occur when the dump writing process is interrupted for any
>reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100
(decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera
and
took
pictures of the dump process. I even managed to get a picture of it
when
it
reads “Dumping physical memory to disk: 99”. It completes the
operation
at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is
holy
to programmers everywhere that often the memory.dmp is not produced
even when “dumping physical memory to disk” has completed sucessfully
and we
get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp
seems
to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp.
Sometimes the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up
because baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct
memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at
5:30 a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once
the “dumping physical memory to disk” has completed and one then boots
into
*another* Windows partition (thus eliminating the corruption of
pagefile.sys
because one has specified that the page file be on the same partition
as
the
OS), can one take the data in pagefile.sys and convert it to memory.dmp?
Clearly, the OS knows how to do it. Is this functionality exposed?

Regards,

Ralph Shnelvar

>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Wednesday, February 09, 2005 12:10 AM
>To: ntdev redirect
>Subject: [ntdev] Forcing pagefile.sys -> memory.dmp
>
>I watch as memory is written out due to a crash during a BSOD.
>
>I then boot into another partition so that I can delete the offending
>driver and then reboot into the same partition that caused the crash
>dump to be written to pagefile.sys.
>
>Roughly 30% of the time no memory.dmp is created/overwritten.
>
>Yes, I’m requesting a full dump upon a crash.
>
>
>Does anyone on this list know how to convert pagefile.sys to memory.dmp?
>In
>the alternative, how can I guarantee that a memory.dmp is created?
>
>Or is memory.dmp nothing more than a renamed pagefile.sys?
>
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com To
>unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT0000C7C6

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Michael_Eschmann · February 9, 2005, 11:14am

If the crashdump storage driver doesn’t flush the disk’s write caches to
media before rebooting, the crash data will not be complete when
NTLoader tries to recover the dump file because the disk gets hard-reset
as the system comes back up. Basically, NTLoader will not be able to
recover a dump file from the pagefile if the disk media is not written.
Disable write caching on the drive (if you can do that) and see what
happens.

Q: Does anyone know why the OS adds this extra step of copying from
pagefile to dumpfile at next boot instead of just writing to the darn
dump file at the time of the crash?

If you have two separate OS installs on C and D, and then crash the OS
on C, I wouldn’t expect you to get the dump file until you reboot into
the same OS. Booting into D and not getting a dump file probably occurs
because the two OS installs most likely have separate pagefiles.

MKE.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Tuesday, February 08, 2005 9:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 11:14am

Ah, so you believe that just because it says the dump is 100% complete
this is in fact the case, right? And you probably believe fast mutexes
really ARE fast, fast I/O relates to I/O and again is fast, and the
hypercritical work queue is the appropriate one for your work, too!

Until the dump header is written to the paging file, the dump is not
complete. EVEN IF you can get the bits (beyond block zero, which is the
dump header) out of the paging file, you don’t have the key data
structures from the dump header to make sense of the rest of it. I CAN
tell you that the dump block signature is the 8 byte string “PAGEDUMP”
(at least on x86. Since the format is different on other platforms,
your mileage may vary). Beyond that, though, I’m not sure as to the
specific meaning of the header.

I suppose another possible cause of this problem is that savedump.exe is
broken in some fashion. This is the program that actually opens the
page file, validates its contents and copies it into the appropriate
location. Of course, if it fails, it reports that information in the
obvious place - the Event Log.

My suspicion is that you don’t get a dump because it writes physical
memory but not the dump header, which makes the whole dump worthless.
As always, I could be wrong, but if that’s the case you’ll need to wait
for someone else to step up to the plate.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 10:30 AM
To: ntdev redirect
Subject: Re: [ntdev] Forcing pagefile.sys -> memory.dmp

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

If you are not getting a memory.dmp file, there isn’t one in the page
file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.misc/browse_th
read/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=%22memory.dmp%22&_done=%
2Fgroups%3Fq%3D%22memory.dmp%22%26num%3D100%26hl%3Den%26lr%3D%26sa%3DN%2
6tab%3Dwg%26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

This can occur when the dump writing process is interrupted for
any reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100
(decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera and
took
pictures of the dump process. I even managed to get a picture of it
when it
reads “Dumping physical memory to disk: 99”. It completes the
operation at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is
holy
to programmers everywhere that often the memory.dmp is not produced even
when “dumping physical memory to disk” has completed sucessfully and we
get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp seems
to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp.
Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up
because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct
memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at
5:30
a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once the
“dumping physical memory to disk” has completed and one then boots into
*another* Windows partition (thus eliminating the corruption of
pagefile.sys
because one has specified that the page file be on the same partition as
the
OS), can one take the data in pagefile.sys and convert it to memory.dmp?
Clearly, the OS knows how to do it. Is this functionality exposed?

Regards,

Ralph Shnelvar

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 12:10 AM
To: ntdev redirect
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to
be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to
memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 11:33am

> Q: Does anyone know why the OS adds this extra step of copying from

pagefile to dumpfile at next boot instead of just writing to the darn
dump file at the time of the crash?

As much as I understand this (which I’m sure is far from the complete story
of the dumping/paging/file-systems world):
The pagefile is known to the system, and the sectors used by the page-file
can be accessed without using the file-system (or at least in a
“pseudo-read-only” mode). On the other hand, adding new files to the
file-system is relatively complicated, so the system needs to be much more
functional to do this.

So the reason is simply that the page-file can be easily written to at the
time of failure, whilst creating a new file is more complicated.

–
Mats

OSR_Community_User · February 9, 2005, 11:39am

Savedump.exe can actually copy the crash dump to a DIFFERENT location,
so your boot partition does not need to be 2 x SizeOfMemory to store one
crash dumps (one for the paging file, one for the crash dump).

While most of us don’t routinely worry about big memory systems, the big
memory system people actually want crash dumps AT LEAST as much as the
ordinary folks - someone who spent $3 million on their 32-way x86 server
with 64GB of memory gets really pissed when that same system crashes and
takes 1500 terminal server sessions along with it. They want that crash
dump to figure out WHY and how to prevent it in the future. (And FYI:
W2K3 supports 64GB crash dumps). By storing the actual dump on a
different storage device you can keep your boot partition under one of
the various magic limits (is it 127GB?)

In all fairness, I’ve yet to see a 64GB crash dump, but I have seen 32GB
crash dumps…

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Eschmann, Michael K
Sent: Wednesday, February 09, 2005 11:14 AM
To: ntdev redirect
Subject: RE: [ntdev] Forcing pagefile.sys -> memory.dmp

If the crashdump storage driver doesn’t flush the disk’s write caches to
media before rebooting, the crash data will not be complete when
NTLoader tries to recover the dump file because the disk gets hard-reset
as the system comes back up. Basically, NTLoader will not be able to
recover a dump file from the pagefile if the disk media is not written.
Disable write caching on the drive (if you can do that) and see what
happens.

Q: Does anyone know why the OS adds this extra step of copying from
pagefile to dumpfile at next boot instead of just writing to the darn
dump file at the time of the crash?

If you have two separate OS installs on C and D, and then crash the OS
on C, I wouldn’t expect you to get the dump file until you reboot into
the same OS. Booting into D and not getting a dump file probably occurs
because the two OS installs most likely have separate pagefiles.

MKE.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Tuesday, February 08, 2005 9:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 11:49am

When a crash happens, it could happen in file systems too !. So
everything is pretty much broken, except may be the internal (raw fs ),
and possibly it just flushes physical page to pagefile. Don’t recall
seeing anyplace that clearly explains it :-(.

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Eschmann,
Michael K
Sent: Wednesday, February 09, 2005 8:14 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Forcing pagefile.sys -> memory.dmp

If the crashdump storage driver doesn’t flush the disk’s write caches to
media before rebooting, the crash data will not be complete when
NTLoader tries to recover the dump file because the disk gets hard-reset
as the system comes back up. Basically, NTLoader will not be able to
recover a dump file from the pagefile if the disk media is not written.
Disable write caching on the drive (if you can do that) and see what
happens.

Q: Does anyone know why the OS adds this extra step of copying from
pagefile to dumpfile at next boot instead of just writing to the darn
dump file at the time of the crash?

If you have two separate OS installs on C and D, and then crash the OS
on C, I wouldn’t expect you to get the dump file until you reboot into
the same OS. Booting into D and not getting a dump file probably occurs
because the two OS installs most likely have separate pagefiles.

MKE.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Tuesday, February 08, 2005 9:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Forcing pagefile.sys -> memory.dmp

I watch as memory is written out due to a crash during a BSOD.

I then boot into another partition so that I can delete the offending
driver
and then reboot into the same partition that caused the crash dump to be
written to pagefile.sys.

Roughly 30% of the time no memory.dmp is created/overwritten.

Yes, I’m requesting a full dump upon a crash.

Does anyone on this list know how to convert pagefile.sys to memory.dmp?
In
the alternative, how can I guarantee that a memory.dmp is created?

Or is memory.dmp nothing more than a renamed pagefile.sys?

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Tim_Roberts · February 9, 2005, 12:23pm

Eschmann, Michael K wrote:

Q: Does anyone know why the OS adds this extra step of copying from
pagefile to dumpfile at next boot instead of just writing to the darn
dump file at the time of the crash?

Because the page file is guaranteed to exist, at a fixed, well-known,
well-exercised location on the disk.

Creating a dump file potentially requires the creation of a new file.
That means that, among other things, the file system drivers must be
healthy enough to do all the directory and file allocation table
management needed to create a new file. In the event of a crash, that
is a dangerous assumption.

After the reboot, we have a known-good basic file system driver up and
operational that can do that manipulation.

–

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · February 9, 2005, 12:28pm

Dear Mats:

On Wed, 9 Feb 2005 15:44:25 +0000, you wrote:

I think you’ve misunderstood how it works:
Pagefile.sys is only converted to memory.dmp once the system reboots, and
only when that same pagefile.sys is being used. I’m pretty sure that you
could do something like;
Boot from C:
crash due to driverentry crashing.
boot into safe-mdoe on C: [Assuming your driver isn’t loaded in safe-mode,
of course].

My driver appears to be loaded in safe mode since the system will crash if I
leave baddriver.sys in c:\windows\system32\drivers. Why it is loaded in
safe mode, I do not know. Thus, I boot into a different OS in order to
delete the driver. I find this to be easier than going into console mode.
It’s just a personal preference.

look at memory.dmp

And then, as Mark Roddy points out (in a different message), “the dump is
extracted from pagefile.sys on C: and written to memory.dmp. End of story.”

Except that it is not the end of the story. Sometimes - as I and other
people in various newsgroups point out - the memory.dmp file does not
appear.

It should but it doesn’t.

Ralph Shnelvar

OSR_Community_User · February 9, 2005, 1:27pm

Here is the scenario you laid out:

"Here’s what’s even weirder. After a couple of reboots, memory.dmp seems to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp. Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct memory.dmp
has been created.

Weird, huh?"

In that scenario this is the expected behavior. Memory.dmp cannot exist (for
the last crash) until the system boots off of the partition on which the
paging file that contains the crash exists. That boot has to proceed all the
way through system service start.

As others have pointed out, there may be other scenarios where your dump
file will not be created, but the one you documented above is the system
behaving as expected.

=====================
Mark Roddy

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 12:32 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Forcing pagefile.sys -> memory.dmp

Dear Mats:

On Wed, 9 Feb 2005 15:44:25 +0000, you wrote:

I think you’ve misunderstood how it works:
Pagefile.sys is only converted to memory.dmp once the system reboots,
and only when that same pagefile.sys is being used. I’m pretty sure
that you could do something like; Boot from C:
crash due to driverentry crashing.
boot into safe-mdoe on C: [Assuming your driver isn’t loaded in
safe-mode, of course].

My driver appears to be loaded in safe mode since the system will crash if I
leave baddriver.sys in c:\windows\system32\drivers. Why it is loaded in
safe mode, I do not know. Thus, I boot into a different OS in order to
delete the driver. I find this to be easier than going into console mode.
It’s just a personal preference.

look at memory.dmp

And then, as Mark Roddy points out (in a different message), “the dump is
extracted from pagefile.sys on C: and written to memory.dmp. End of story.”

Except that it is not the end of the story. Sometimes - as I and other
people in various newsgroups point out - the memory.dmp file does not
appear.

It should but it doesn’t.

Ralph Shnelvar

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 1:31pm

Dear Tony:

On Wed, 9 Feb 2005 11:14:22 -0500, you wrote:

Ah, so you believe that just because it says the dump is 100% complete
this is in fact the case, right? And you probably believe fast mutexes
really ARE fast, fast I/O relates to I/O and again is fast, and the
hypercritical work queue is the appropriate one for your work, too!

I believe! I believe!

Until the dump header is written to the paging file, the dump is not
complete. EVEN IF you can get the bits (beyond block zero, which is the
dump header) out of the paging file, you don’t have the key data
structures from the dump header to make sense of the rest of it. I CAN
tell you that the dump block signature is the 8 byte string “PAGEDUMP”
(at least on x86. Since the format is different on other platforms,
your mileage may vary). Beyond that, though, I’m not sure as to the
specific meaning of the header.

I generally wait 60 seconds-or-so before I do a power-down reboot. I wait -
not because of any prescience on my part - but because the writing of the
dump takes so long that I go off and do other things.

So the question is: How long do I need to wait.

I suppose another possible cause of this problem is that savedump.exe is
broken in some fashion. This is the program that actually opens the
page file, validates its contents and copies it into the appropriate
location. Of course, if it fails, it reports that information in the
obvious place - the Event Log.

Is there any documentation on savedump.exe. It sure looks like what I need.

My suspicion is that you don’t get a dump because it writes physical
memory but not the dump header, which makes the whole dump worthless.
As always, I could be wrong, but if that’s the case you’ll need to wait
for someone else to step up to the plate.

It’s the bottom of the 9th, the bases are loaded, and …

Regards,

Ralph Shnelvar

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the Next OSR File Systems Class April
4, 2005 in Boston!
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Wednesday, February 09, 2005 10:30 AM
To: ntdev redirect
Subject: Re: [ntdev] Forcing pagefile.sys -> memory.dmp

Tony:

On Wed, 9 Feb 2005 00:28:55 -0500, you wrote:

>If you are not getting a memory.dmp file, there isn’t one in the page
>file.

Tony, I’m sorry, that just doesn’t seem to jibe with my experience.

It also doesn’t jibe with other people’s experience, as well.

Here’s a typical link:
http://groups-beta.google.com/group/comp.os.ms-windows.nt.misc/browse_th
read/thread/b1d1871da83e14f0/6d02628efeb63e7c?q=%22memory.dmp%22&_done=%
2Fgroups%3Fq%3D%22memory.dmp%22%26num%3D100%26hl%3Den%26lr%3D%26sa%3DN%2
6tab%3Dwg%26&_doneTitle=Back+to+Search&&d#6d02628efeb63e7c

>This can occur when the dump writing process is interrupted for
>any reason - for example, if an error occurs.

But the dump writing process completed. Really. Honest.

I have 512MB of ram on this laptop. I sit there and watch the 100
(decimal)
records being written out.

In fact, this last time I actually sat there with my digital camera and
took
pictures of the dump process. I even managed to get a picture of it
when it
reads “Dumping physical memory to disk: 99”. It completes the
operation at
100. Pictures available upon request.

Alas, this time memory.dmp was produced. But I promise on all that is
holy
to programmers everywhere that often the memory.dmp is not produced even
when “dumping physical memory to disk” has completed sucessfully and we
get
the message “physical memory dump complete”.

Here’s what’s even weirder. After a couple of reboots, memory.dmp seems
to
appear. The following are the details.

(1) baddriver.sys does not exist in c:\windows\system32\drivers.
baddriver.sys is not installed.

(2) Boot into XP Home (on C:) and attempt to install baddriver.sys.
Installation fails because the driver crashes in DriverEntry.

(3) Boot into XP Professional (on D:) and look for memory.dmp.
Sometimes
the latest memory.dmp isn’t there.

(4) Delete c:\windows\system32\drivers\baddriver.sys

(5) Boot into XP Home (on C:) in safe mode. XP Home now comes up
because
baddriver.sys is not in the system. Shut down XP Home normally.

(6) Boot into XP Professional (on D:). Miraculously, the correct
memory.dmp
has been created.

Weird, huh?

Anyway, that’s the way I remember it because it happened that way at
5:30
a.m. today.

Is there a way to convert pagefile.sys to memory.dmp? That is, once the
“dumping physical memory to disk” has completed and one then boots into
*another* Windows partition (thus eliminating the corruption of
pagefile.sys
because one has specified that the page file be on the same partition as
the
OS), can one take the data in pagefile.sys and convert it to memory.dmp?
Clearly, the OS knows how to do it. Is this functionality exposed?

Regards,

Ralph Shnelvar

>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Wednesday, February 09, 2005 12:10 AM
>To: ntdev redirect
>Subject: [ntdev] Forcing pagefile.sys -> memory.dmp
>
>I watch as memory is written out due to a crash during a BSOD.
>
>I then boot into another partition so that I can delete the offending
>driver
>and then reboot into the same partition that caused the crash dump to
be
>written to pagefile.sys.
>
>Roughly 30% of the time no memory.dmp is created/overwritten.
>
>Yes, I’m requesting a full dump upon a crash.
>
>
>Does anyone on this list know how to convert pagefile.sys to
memory.dmp?
>In
>the alternative, how can I guarantee that a memory.dmp is created?
>
>Or is memory.dmp nothing more than a renamed pagefile.sys?
>
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 1:39pm

xxxxx@lists.osr.com wrote on 02/09/2005 10:31:56 AM:

Dear Mats:

On Wed, 9 Feb 2005 15:44:25 +0000, you wrote:

>
>
>
>
>
>I think you’ve misunderstood how it works:
>Pagefile.sys is only converted to memory.dmp once the system reboots,
and
>only when that same pagefile.sys is being used. I’m pretty sure that
you
>could do something like;
>Boot from C:
>crash due to driverentry crashing.
>boot into safe-mdoe on C: [Assuming your driver isn’t loaded in
safe-mode,
>of course].

My driver appears to be loaded in safe mode since the system will crash
if I
leave baddriver.sys in c:\windows\system32\drivers. Why it is loaded in
safe mode, I do not know. Thus, I boot into a different OS in order to
delete the driver. I find this to be easier than going into console
mode.
It’s just a personal preference.

No, it isn’t just a personal preference. Max Shatskih already cautioned
you about your methodology. Your OS on D: can *USE* C:\pagefile.sys. If
it does, your dump is toast.

>look at memory.dmp

And then, as Mark Roddy points out (in a different message), “the dump
is
extracted from pagefile.sys on C: and written to memory.dmp. End of
story.”

Except that it is not the end of the story. Sometimes - as I and other
people in various newsgroups point out - the memory.dmp file does not
appear.

See above. Also, keep in mind that, contrary to MKE’s statement that
ntldr does this, the memory.dmp file is created by savedump, which is run
around the same time as WinLogon. I’m not sure if WinLogon launches it,
or what, but it’s not a boot-execute thing like chkdsk. As a consequence,
you have to give the OS a little while to do the copy. Once it’s
complete, the memory.dmp file is there. But not if your other OS has
trashed it. And as others mentioned, if your bug has trashed the dump
path somehow, you won’t get a clean dump, either.

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842

Peter_Viscarola_OSR · February 9, 2005, 4:56pm

Prokash Sinha wrote:

When a crash happens, it could happen in file systems too !. So
everything is pretty much broken, except may be the internal (raw fs ),
and possibly it just flushes physical page to pagefile. Don’t recall
seeing anyplace that clearly explains it :-(.

Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is
located, so it can write to this file using minimal system resources.
In fact, the RAW file system isn’t even involed.

Peter
OSR

OSR_Community_User · February 9, 2005, 5:19pm

Ouch

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Viscarola
(OSR)
Sent: Wednesday, February 09, 2005 1:56 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcing pagefile.sys -> memory.dmp

Prokash Sinha wrote:

When a crash happens, it could happen in file systems too !. So
everything is pretty much broken, except may be the internal (raw fs
),
and possibly it just flushes physical page to pagefile. Don’t recall
seeing anyplace that clearly explains it :-(.

Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is
located, so it can write to this file using minimal system resources.
In fact, the RAW file system isn’t even involed.

Peter
OSR

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@appstream.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 5:55pm

Dear Philip:

On Wed, 9 Feb 2005 11:38:18 -0700, you wrote:

xxxxx@lists.osr.com wrote on 02/09/2005 10:31:56 AM:

> Dear Mats:
>
> On Wed, 9 Feb 2005 15:44:25 +0000, you wrote:
>
> >
> >
> >
> >
> >
> >I think you’ve misunderstood how it works:
> >Pagefile.sys is only converted to memory.dmp once the system reboots,
and
> >only when that same pagefile.sys is being used. I’m pretty sure that
you
> >could do something like;
> >Boot from C:
> >crash due to driverentry crashing.
> >boot into safe-mdoe on C: [Assuming your driver isn’t loaded in
safe-mode,
> >of course].
>
> My driver appears to be loaded in safe mode since the system will crash
if I
> leave baddriver.sys in c:\windows\system32\drivers. Why it is loaded in
> safe mode, I do not know. Thus, I boot into a different OS in order to
> delete the driver. I find this to be easier than going into console
mode.
> It’s just a personal preference.

No, it isn’t just a personal preference. Max Shatskih already cautioned
you about your methodology. Your OS on D: can *USE* C:\pagefile.sys. If
it does, your dump is toast.

My OS on D: does *not* use C:\pagefile.sys. I just checked … again.

> >look at memory.dmp
>
> And then, as Mark Roddy points out (in a different message), “the dump
is
> extracted from pagefile.sys on C: and written to memory.dmp. End of
story.”
>
> Except that it is not the end of the story. Sometimes - as I and other
> people in various newsgroups point out - the memory.dmp file does not
> appear.

See above. Also, keep in mind that, contrary to MKE’s statement that
ntldr does this, the memory.dmp file is created by savedump, which is run
around the same time as WinLogon. I’m not sure if WinLogon launches it,
or what, but it’s not a boot-execute thing like chkdsk. As a consequence,
you have to give the OS a little while to do the copy. Once it’s
complete, the memory.dmp file is there. But not if your other OS has
trashed it. And as others mentioned, if your bug has trashed the dump
path somehow, you won’t get a clean dump, either.

Well, if my driver isn’t there, then the dump path shouldn’t be trashed.

Which leads to the next question: Is there any documentation on
savedump.exe?

Thanks, Phil.

Gratefully,

Ralph Shnelvar

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@dos32.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Peter_Viscarola_OSR · February 9, 2005, 6:14pm

Ralph Shnelvar wrote:

Which leads to the next question: Is there any documentation on
savedump.exe?

No. Is this a serious question? Why would there be?

Just a personal suggestion: You might find it more fruitful to spend
more time engineering, and less time posting questions seeking to learn
the holy grail of crash-dump creation. The whole process of creating
and writing crash dumps is very complicated, esoteric, and almost
entirely undocumented. Also, you’ll doubtlessly be pleased to know, it
has been known to change from version to version of Windows.

Peter
OSR