Implementation of crash report processing systems

Windows Memory Dump Types


Windows support various memory dump types. There is much confusion among users about different dumps, so let’s make it clear.

Windows memory dump types

At this scheme you can see that there are two main dump file categories in Windows: kernel and user –mode dump files. The main difference of these two is that kernel mode dumps contain OS physical memory, when a user-mode dump file contains memory space of a single process. To know more about user and kernel mode refer to Mark Russinovich’s “Windows Internals” book or just ask Google.

Let’s Take a closer look at each dump type.

1. Kernel-mode dumps

1.1 Complete Memory Dump

A Complete Memory Dump is the largest kernel-mode dump file. This file contains all the physical memory for the machine at the time of the fault. This type of dump will require that there is a page file at least the size of physical memory plus 1MB (for the header). Because of the page file requirement, this is an uncommon setting especially for systems with large amounts of RAM. Windows NT4 only supported a Complete Memory Dump. Also, this is the default setting on Windows Server systems.

1.2 Kernel Memory Dump

A Kernel Memory Dump contains all the memory in use by the kernel at the time of the crash.

This kind of dump file is significantly smaller than the Complete Memory Dump. Typically, the dump file will be around one-third the size of the physical memory on the system. Of course, this quantity will vary considerably, depending on your circumstances.

This dump file will not include unallocated memory, or any memory allocated to user-mode applications. It only includes memory allocated to the Windows kernel and hardware abstraction level (HAL), as well as memory allocated to kernel-mode drivers and other kernel-mode programs.

For most purposes, this crash dump is the most useful. It is significantly smaller than the Complete Memory Dump, but it only omits those portions of memory that are unlikely to have been involved in the crash.

1.3 Small Memory Dump

A small memory is a 64KB dump (128KB on 64-bit systems) that contains the stop code, parameters, list of loaded device drivers, information about the current process and thread, and the kernel stack for the thread that caused the crash.

2 User-mode memory dumps

2.1 Full User-Mode Dumps

A full user-mode dump is the basic user-mode dump file. This dump file includes the entire memory space of a process, the program’s executable image itself, the handle table, and other information that will be useful to the debugger.

2.2 Minidumps

A user-mode dump file that includes only selected parts of the memory associated with a process is called a minidump.
The size and contents of a minidump file vary depending on the program being dumped and the application doing the dumping. Sometimes, a minidump file is fairly large and includes the full memory and handle table. Other times, it is much smaller — for example, it might only contain information about a single thread, or only contain information about modules that are actually referenced in the stack.
The name “minidump” is misleading, because the largest minidump files actually contain more information than the “full” user-mode dump.

Leave a Reply

Required fields are marked *.