Which NT function is responsible for creating a crash dump file?

If I understand correctly, when a bug-check happens, the KeBugCheckEx function saves the contents of physical memory pages in a swap-file and then the actual .dmp file is created only when the system boots back up.

Do you know what NT function is used to save the .dmp file during the boot? And is it in ntoskrnl or in crashdmp.sys?

I also wonder if the same function is responsible for creating different types of crash dump files, i.e. full dump, kernel dump, small dump, live kernel dump?

I suspect that you are curious because you want to hook it in some way? If so, there are a few KeRegisterBugCheckCallback features that can hook into the process in various ways. I've used them and they work as advertised.

It's done in user mode by smss.exe as part of creating the paging files.

Thanks, @Scott_Noone_OSR. You don't happen to know the name of the function that's responsible for that, do you?

No, I don't. Took a guess and dumped the symbols and it should be easy enough to find:

0: kd> x smss!*crashdump*
00007ff6`141d9d70 smss!SmpQueryCrashDumpType (SmpQueryCrashDumpType)
00007ff6`141f7490 smss!SmpTryHardForCrashDump = <no type information>
00007ff6`141e3cd4 smss!SmpComputeDesiredPfSizeForCrashDump (SmpComputeDesiredPfSizeForCrashDump)
00007ff6`141f2200 smss!SmssEvt_CrashDumpCopy_Error = <no type information>
00007ff6`141f7470 smss!SmpDesiredPfSizeForCrashDump = <no type information>
00007ff6`141f73f8 smss!SmpCrashDumpKey = <no type information>
00007ff6`141d6bb0 smss!SmpCheckForCrashDump (SmpCheckForCrashDump)