KeRegisterBugCheck - IV

NTDEV
1

Hi, everyone.
I just came back from weekend and was very pleased to find a few
messages
in my mailbox regarding some KeRegisterBugCheck questions I’ve made on
Friday. I just want to say “Thank you” (in no special order) to Phil
Barila,
Rob Green, Max Lyadvinsky, Igor Dorovskoy, Andre Vachon, Maxim S.
Shatskih, Anders Fogh and everyone else I forgot to mention here who
contributed somehow to clarify some ideas about this subject. I think
I’m on
my way now to find a nice solution to the initial problem… :slight_smile:

But, I wish to ask again something that someone (Mr. Satish, I guess)
already
posted here:
-If the FSDs can be in uncontrolled state at the moment of the bugcheck
(preventing you from writing to a file), then *how* does the o.s. create
the
dump (.dmp) files?

(Maybe Mr. Andre Vachon - from Microsoft - could bring a light here?..)

Thank you once again.
Best regards you all,

Miguel Monteiro
xxxxx@criticalsoftware.com
www.criticalsoftware.com

«Humour and love are God’s answers
to Human weaknesses»

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

AFAIK:

During boot up, the os asks the boot driver to give it a callback routine.
This routine is only supported by certain class of disk drivers (its
undocumented, so third party drivers usually dont support it). When a
pagefile is created on the boot volume, the os asks the filesystem for the
raw clusters on the volume. (this is the reason when you enable the
memory.dmp option it complains when the boot volume doesnt have a pagefile
as big as memory)

When the bsod occurs, the os raises to HIGHEST_LEVEL Irql, and calls the
call back. The disk driver then proceeds to reset the controller and any
state that it can. Once this succeeds, the os then writes to the page file
directly using the saved sectors.

When the system reboots, a process called “savedump.exe” is executed to copy
the contents of the pagefile.sys into memory.dmp.

There are a number of cases to where the system can not generate a dump file
and these can be looked up in the knowledgebase.

There is no reliable 100% way of writing to a file (including the dump
file), as it depends on what excatly is wrong (ie the disk itself could have
died).

rob

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Miguel Monteiro
Sent: Monday, April 02, 2001 5:36 AM
To: NT Developers Interest List
Subject: [ntdev] KeRegisterBugCheck - IV

Hi, everyone.
I just came back from weekend and was very pleased to find a few
messages
in my mailbox regarding some KeRegisterBugCheck questions I’ve made on
Friday. I just want to say “Thank you” (in no special order) to Phil
Barila,
Rob Green, Max Lyadvinsky, Igor Dorovskoy, Andre Vachon, Maxim S.
Shatskih, Anders Fogh and everyone else I forgot to mention here who
contributed somehow to clarify some ideas about this subject. I think
I’m on
my way now to find a nice solution to the initial problem… :slight_smile:

But, I wish to ask again something that someone (Mr. Satish, I guess)
already
posted here:
-If the FSDs can be in uncontrolled state at the moment of the bugcheck
(preventing you from writing to a file), then *how* does the o.s. create
the
dump (.dmp) files?

(Maybe Mr. Andre Vachon - from Microsoft - could bring a light here?..)

Thank you once again.
Best regards you all,

Miguel Monteiro
xxxxx@criticalsoftware.com
www.criticalsoftware.com

«Humour and love are God’s answers
to Human weaknesses»

You are currently subscribed to ntdev as: xxxxx@cdp.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Miguel Monteiro asked:

-If the FSDs can be in uncontrolled state at the
moment of the bugcheck (preventing you from
writing to a file), then *how* does the o.s.
create the dump (.dmp) files?

As someone mentioned previously on this thread, savedump.exe is a NT native
program which runs during boot, before the pagefile(s) are mounted, and
which saves memory.dmp contents out of the system volume pagefile and into
memory.dmp, if the previous shutdown was a bugcheck (bluescreen) and
crashdump is enabled.

Dave Hart

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

RE: [ntdev] KeRegisterBugCheck - IVHow does OS is writing to PageFile.Sys after Blue Screen ?

Regards,
Satish K.S

----- Original Message -----
From: Dave Hart
To: NT Developers Interest List
Sent: Tuesday, April 03, 2001 3:18 AM
Subject: [ntdev] RE: KeRegisterBugCheck - IV

Miguel Monteiro asked:

-If the FSDs can be in uncontrolled state at the
> moment of the bugcheck (preventing you from
> writing to a file), then *how* does the o.s.
> create the dump (.dmp) files?

As someone mentioned previously on this thread, savedump.exe is a NT native program which runs during boot, before the pagefile(s) are mounted, and which saves memory.dmp contents out of the system volume pagefile and into memory.dmp, if the previous shutdown was a bugcheck (bluescreen) and crashdump is enabled.

Dave Hart

You are currently subscribed to ntdev as: xxxxx@aalayance.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com