Collecting User-Mode Dumps


In this article I’ll show you how to configure a Windows Server 2008 for creating dump files for crushing applications. A dump file is a snapshot of the memory at the time of the crush. This file can be debugged so that the cause of the problem is discovered. A dump file has the .dmp extension.
By default, Windows is configured to catch and save dump files in %SystemRoot%\MEMORY.DMP and it’s set to overwrite any existing file. This means that only one dump file will be saved at any time. Also note that you can configure three types of dump: Small memory dump, Kernel memory dump and Complete memory dump. By default the write debugging information is set to kernel memory dump. You can change any of this settings by navigating to Control Panel/System and Security/System and clicking on “Advanced system settings”. Now click on the “Advanced” tab and press on the “Settings” button right under the “Startup and Recovery” section:

Startup and Recovery
We can configure the same settings from registry editor. I’ll show you how to configure the Windows Server to store dump files in a different location. Open registry editor by typing regedit in the Windows search box and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting:
Registry editor
Now let’s create a new key called DumpFolder.  Right click the “Windows Error Reporting” section, click “New” and then click again on the “Key” section. We’ll have to add three new entries in this section:

1. a REG_EXPAND_SZ key named DumpFolder
2. a REG_DWORD key named DumpCount with a decimal value (let’s say 5)
3. a REG_DWORD key named DumpType with a value from 0 to 2. Each value represents a dump type as follows:
0: Custom dump
1: Mini dump
2: Full dump

This is how you add each entry:

Registry editor
   If you want to create dumps for a particular application add a new key under the same node with your application’s name. For example if we would want to create crash dumps for notepad.exe, we would add the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DumpFolder\notepad.exe. Your configuration would look something like this:
regedit

That’s it for this article folks, hope it will serve you well. If you think there is more to be said here, don’t hesitate to leave a comment. Enjoy your day!

Advertisements

One thought on “Collecting User-Mode Dumps

  1. This is not working for a 32-bit app running on a 64-bit OS.
    I have an app which sets the dump entries to the registry under HKLM via install shield. Those are getting added properly but under the WOW6432Node not directly under the root directory. So due to this couldn't collect the dumps in the mentioned location.

    Any help on this ? Thanks in advance.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s