Forcing pagefile.sys -> memory.dmp

OSR_Community_User · February 9, 2005, 8:03pm

Peter:

On Wed, 09 Feb 2005 18:13:56 -0500, you wrote:

Ralph Shnelvar wrote:
>
> Which leads to the next question: Is there any documentation on
> savedump.exe?
>

No. Is this a serious question? Why would there be?

Yes, this is a serious question.

Reason: Getting a crash dump out of a system that is completely hosed is a
useful thing. Why would one imagine that after a system crashes, that the
system is healthy enough to come back up?

Wouldn’t it be simpler, Peter, if one crashed the system, saved the
pagefile, and then restored the system to its state prior to the crash?

The idea that you crash and then depend on a possibly trashed system to
convert pagefile.sys to memory.dmp is a little strange to me. Hence the
question about savedump.exe.

Just a personal suggestion: You might find it more fruitful to spend
more time engineering

Peter, I would be hard pressed to imagine that anyone spends more time
engineering than I do.

and less time posting questions seeking to learn
the holy grail of crash-dump creation. The whole process of creating
and writing crash dumps is very complicated, esoteric, and almost
entirely undocumented.

Which is why I post to the illuminati here.

Peter, I have little interest in the arcana of crash dumps. I had a problem
that was plaguing me (and still plagues me). Producing a crash dump wasn’t
happening for me … and the crash dump was the only way I could get
information about the error that is still plaguing me.

Engineering is about solving problems and making the best product possible
with the resources on hand. In order to get the crash dump I had to learn
how the crash dump is produced.

Without disrespect to you, Peter, I believe that engineering is what I am
and was doing.

Also, you’ll doubtlessly be pleased to know, it
has been known to change from version to version of Windows.

So, Peter, what else is new?

Peter
OSR

Gratefully,

Ralph Shnelvar

Tim_Roberts · February 9, 2005, 8:26pm

Ralph Shnelvar wrote:

Reason: Getting a crash dump out of a system that is completely hosed is a
useful thing. Why would one imagine that after a system crashes, that the
system is healthy enough to come back up?

I guess it depends on your definition of “crash”. The reboot is loading
fresh copies of all of the system DLLs and drivers. If the contents of
the disk have been damaged so that these fresh copies are unreliable,
then I don’t see how you could t rely on pagefile.sys, either.

As long as the contents of system32 and system32\drivers are correct, no
crash should prevent a reboot, and hence creation of the dump.

–

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · February 9, 2005, 8:44pm

unless the boot process loads the crashing driver. In theory that’s
what safe mode or last-known-good are for.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, February 09, 2005 5:26 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Forcing pagefile.sys -> memory.dmp

Ralph Shnelvar wrote:

>Reason: Getting a crash dump out of a system that is
completely hosed
>is a useful thing. Why would one imagine that after a
system crashes,
>that the system is healthy enough to come back up?
>
>

I guess it depends on your definition of “crash”. The reboot
is loading fresh copies of all of the system DLLs and
drivers. If the contents of the disk have been damaged so
that these fresh copies are unreliable, then I don’t see how
you could t rely on pagefile.sys, either.

As long as the contents of system32 and system32\drivers are
correct, no crash should prevent a reboot, and hence creation
of the dump.

–

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 9, 2005, 9:30pm

Tim:

On Wed, 09 Feb 2005 17:26:09 -0800, you wrote:

Ralph Shnelvar wrote:

>Reason: Getting a crash dump out of a system that is completely hosed is a
>useful thing. Why would one imagine that after a system crashes, that the
>system is healthy enough to come back up?
>
>

I guess it depends on your definition of “crash”. The reboot is loading
fresh copies of all of the system DLLs and drivers. If the contents of
the disk have been damaged so that these fresh copies are unreliable,
then I don’t see how you could t rely on pagefile.sys, either.

As long as the contents of system32 and system32\drivers are correct, no
crash should prevent a reboot, and hence creation of the dump.

As Prokash and Peter point out, a crash dump uses far more primitive (and
presumably, robust) facilities than the file system.

To my mind, system DLLs and drivers can be totally hosed and pagefile.sys be
OK.

I am reluctant to dwell on this since Peter seems to be getting annoyed that
I’m consuming so much bandwidth over this question.

Nonetheless, I find these kinds of “first principles” questions fascinating
in their own right.

But in deference to Peter, I’m going to try to keep this to a minimum.

Ralph Shnelvar

OSR_Community_User · February 9, 2005, 10:00pm

P:

On Wed, 9 Feb 2005 17:43:36 -0800, you wrote:

unless the boot process loads the crashing driver. In theory that’s
what safe mode or last-known-good are for.

I’m going to ask the engineer who wrote the installer why the driver is
ending up in a safe mode boot.

-p

Ralph Shnelvar

Maxim_S_Shatskih · February 10, 2005, 6:19am

> Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is

located, so it can write to this file using minimal system resources.

Yes, even the normal SCSIPORT is not used for it.

In fact, the RAW file system isn’t even involed.

From what I know, the only purpose of RAW FS is to answer to
NtQueryVolumeInformationFile on unformatted disks.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Prokash_Sinha-1 · February 10, 2005, 9:39am

Yes, makes lot of sense !!!.

At that stage who could we trust ?. It is inessential at this point for
Ralph, but it seems like the OS revert back to realmode, and flushes using
(bios/hal ) interface, JUST A GUESS, I know, I know I should not guess :-).

-pro
----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Thursday, February 10, 2005 3:18 AM
Subject: Re: Re:[ntdev] Forcing pagefile.sys -> memory.dmp

> > Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is
> > located, so it can write to this file using minimal system resources.
>
> Yes, even the normal SCSIPORT is not used for it.
>
> > In fact, the RAW file system isn’t even involed.
>
> >From what I know, the only purpose of RAW FS is to answer to
> NtQueryVolumeInformationFile on unformatted disks.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Prokash_Sinha-1 · February 10, 2005, 9:55am

Sorry again, real mode would give only 1 MB unless there is bank switch, it
is tricky !

-pro
----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Thursday, February 10, 2005 6:37 AM
Subject: Re: Re:[ntdev] Forcing pagefile.sys -> memory.dmp

> Yes, makes lot of sense !!!.
>
> At that stage who could we trust ?. It is inessential at this point for
> Ralph, but it seems like the OS revert back to realmode, and flushes using
> (bios/hal ) interface, JUST A GUESS, I know, I know I should not guess
:-).
>
> -pro
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “Windows System Software Devs Interest List”
> Sent: Thursday, February 10, 2005 3:18 AM
> Subject: Re: Re:[ntdev] Forcing pagefile.sys -> memory.dmp
>
>
> > > Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is
> > > located, so it can write to this file using minimal system resources.
> >
> > Yes, even the normal SCSIPORT is not used for it.
> >
> > > In fact, the RAW file system isn’t even involed.
> >
> > >From what I know, the only purpose of RAW FS is to answer to
> > NtQueryVolumeInformationFile on unformatted disks.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@garlic.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

OSR_Community_User · February 10, 2005, 10:00am

Actually no – a completely separate driver stack is used which is a
duplicate of the stack used to boot from the disk (look for drivers loaded
called dump_*) plus a special top-level dump driver called diskdump.sys
which is actually called dump_scsiport in the running system – this driver
stack is created at boot time and left on the side until a dump is required.
When dumping, the bugcheck code makes calls to diskdump.sys to write the
memory image to the dump then at the very end it writes the dump header
which includes a signature that is used by savedump to identify a valid dump
in the pagefile…

So, at the end of the day, a copy of the original miniport used to boot the
system is used to write the dump using the normal SCSIPORT interfaces.

Oh and of course I should have said that the location of the pagefile on
disk is saved at boot time so the dump code knows where to write the dump
to.

Confusing? Yes!
/simgr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, February 10, 2005 9:38 AM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Forcing pagefile.sys -> memory.dmp

Yes, makes lot of sense !!!.

At that stage who could we trust ?. It is inessential at this point for
Ralph, but it seems like the OS revert back to realmode, and flushes using
(bios/hal ) interface, JUST A GUESS, I know, I know I should not guess :-).

-pro
----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Thursday, February 10, 2005 3:18 AM
Subject: Re: Re:[ntdev] Forcing pagefile.sys -> memory.dmp

> > Bingo, Pro wins today’s prize! Windows KNOWS where the pagefile is
> > located, so it can write to this file using minimal system resources.
>
> Yes, even the normal SCSIPORT is not used for it.
>
> > In fact, the RAW file system isn’t even involed.
>
> >From what I know, the only purpose of RAW FS is to answer to
> NtQueryVolumeInformationFile on unformatted disks.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com