Hi, is there anyway that I can programmatically create memory dump (kernel
memory dump or complete memory dump) in my FSFD without crashing the system?
I just want to implement something like the ‘.dump’ command of WinDbg in my
FSFD’s exception handler. I know in user mode I can dump one of the
processes by using DbgHelp.dll. Is this possible in kernel mode? If it is
possible, how can I prevent Windows from swapping the memory during the
memory dump? Thanks. Any suggestion is appreciated.
At first glance I would say no, you cannot. Kernel crash dump is created after reboot from paging file, not immediately during BSOD. The BSOD only causes flushing of dirty memory into paging file.
BUT WAIT…there is a tool liveKd created by Mark Russinovitch. It allows you to analyze live system by kernel debugger. It works by means of crash dumps. So it can be done somehow… If you expect some API you will not find any. I think you will have to generate dump file from the scratch. The driver must help you with reading of (paged out) memory.
-bg
You also will have close to a zero chance of getting something consistent since the system cannot be halted.
Good luck,
mm
xxxxx@xythos.com wrote:
At first glance I would say no, you cannot. Kernel crash dump is created after reboot from paging file, not immediately during BSOD. The BSOD only causes flushing of dirty memory into paging file.
BUT WAIT…there is a tool liveKd created by Mark Russinovitch. It allows you to analyze live system by kernel debugger. It works by means of crash dumps. So it can be done somehow… If you expect some API you will not find any. I think you will have to generate dump file from the scratch. The driver must help you with reading of (paged out) memory.
-bg