Jump to content











Photo
- - - - -

How to create BSOD Dump


  • Please log in to reply
4 replies to this topic

#1 netlord

netlord

    Newbie

  • Members
  • 25 posts
  •  
    Germany

Posted 21 June 2016 - 09:50 AM

Hi there

 

its not only because i have now an specific BSOD - but the question is interesting (for me)

 

First of all I defined a variable for the USB-Drive. In my case drvUSB.

Then I changed in the Registry in HKLM\System\Currentcontrolset\Control\CrashControl\DumpFile to %drvUSB%\memory.dmp

 

But even after booting and getting the BSOD there is no DumpFile here...

 

What have I´ve done wrong?

 



#2 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1331 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 21 June 2016 - 12:36 PM

The dump file is placed in that location at the next reboot. This is because when you get a BSOD, the kernel dumps memory into the pagefile. It can't create or even open any other files at this point. Next time the kernel boots, it checks existing pagefiles for a signature that indicates whether or not the pagefile contains a dump from previous session. If so, it moves the pagefile into the dump file location you have specified.

 

But this whole concept also means that directly after a crash, you can use another operating system to copy the pagefile from the crashed system and that file will then contain the dump. It also means that if you don't have a pagefile or if it is not big enough, you would not get any memory dumps.



#3 netlord

netlord

    Newbie

  • Members
  • 25 posts
  •  
    Germany

Posted 22 June 2016 - 01:38 PM

Hi Olof

 

thank you for clarifying!  :1st:

 

What you said makes total sense. But does this mean thats impossible to gain an dump with WindowsPE?

 

Is it possible to configure Windows so that the paging file is on my Bootstick (or even a network share)

IMHO the detection of the stick or the connection to the network drive is later then the creation of the paging file.

 

 

To access the Bootstick via Network while PE is running is not so easy - even if the Firewal is disabled. I have to check this again...

My next idea was to access PE via Telnet - but I couldn´t find any (pure) 64Bit Telnet server. Here I have a now Idea which I have to check.

 

Most promising would be a debugging session via serial cable or network.

 

Have anyone tried this already and did it worked?



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13330 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 June 2016 - 02:08 PM

Would a dedicateddumpfile work on a PE? :unsure: (if that is the question :dubbio:)

https://blogs.msdn.m...em-memory-dump/

 

:duff:

Wonko



#5 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1331 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 24 June 2016 - 09:10 PM

There are a couple of brick walls you could hit anyway. Even if you workaround the principle that only the pagefile at system partition can be used as dump file (DedicatedDumpFile setting), certain limitations still apply. All drivers along the path from kernel though filesystem down to disk volume and physical disk need to be capable of handling dump files. It is a specific scenario in the kernel for which there needs to be specific support in related drivers. This is usually no problems for physical disk drivers of various kinds because they are always designed for this scenario anyway and they get appropriate notifications from the kernel to be able to prepare correctly for it when the pagefile is created. But if you use some kind of disk virtualization to create a pagefile where I/O requires network drivers or other kinds of drivers that normally are not related to dump files, this will likely fail.

 

I seem to recall that I have at some point read about someone creating a dump file on a physical disk on the machine where WinPE ran, but I cannot seem to find anything that right now. I would say that would be the only option that possibly could work, unless you find some kind of highly specialized driver for the particular purpose of creating a pagefile that can be used to store a dump at some special location later.

 

I personally have pretty much only used live debugging (windbg/kd/etc) to debug PE or RE sessions, not dump files. That works pretty much in the same ways as for non-PE Windows sessions. But I can of course understand that there might be scenarios where dump files would be the only practical option to investigate some problems so if you find a solution, please share it! Could be useful to know!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users