Creating a complete memory dump without a Blue Screen

Home Blog Creating a complete memory dump without a Blue Screen

4sysops - The online community for SysAdmins and DevOps

    ,   2
When an error is escalated, one of the most common requests is to get a full memory dump of the computer. This can be achieved easily by blue-screening the computer; however, that is not always possible. Sometimes you also don't have a big enough pagefile or a dedicated dump file configured. Let me show you how to do this without booting the computer and without tweaking the pagefile.
Latest posts by Sami Laiho (see all)

You need to install the free debugging tools from Microsoft. The tools come as part of a few different kits, but I usually download the SDK.

You also need the LiveKD.exe tools from Sysinternals. I put the LiveKD.exe in a folder that is my %PATH%-variable, so I can access it anywhere. If you don't do this, you need to use the full path when you call it.

Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run LiveKD.exe, which starts the KD.exe kernel debugger (if you want to use a graphical version, you can run LiveKD.exe -w).

Running LiveKD.exe on a computer with debugging tools installed

Running LiveKD.exe on a computer with debugging tools installed

Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):

.dump /f c:\temp\test.dmp
Creating a full memory dump from inside the Kernel Debugger

Creating a full memory dump from inside the Kernel Debugger

That's it! Now you have a full memory dump.

If you are running the computer you want to get the memory dump from on top of Hyper-V, you can do that easily from the host computer without touching the guest. Let's see how to do that.

This time, you need to install the debugging tools and LiveKD.exe on the host machine. The concepts are very much the same.

Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run the following command (change VM1 to the name of the virtual machine you want to get the dump from):

LiveKD.exe -hv VM1
Running LiveKD.exe on a Hyper V host computer with debugging tools installed

Running LiveKD.exe on a Hyper V host computer with debugging tools installed

The funny thing about this is that it doesn't require the guest computer to be running in debugging mode.

Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):

.dump /f c:\temp\test.dmp
Creating a full memory dump from a Hyper V guest VM

Creating a full memory dump from a Hyper V guest VM

You can do this even faster by just running:

Subscribe to 4sysops newsletter!

LiveKD -hv <VMNAME> -p -o c:\temp\memory.dmp
Creating a full memory dump from a guest VM with a one liner

Creating a full memory dump from a guest VM with a one liner

If you are running a guest VM on top of VMware, you should refer to this article, which shows you how to convert a snapshot file to a memory dump with vmss2core.exe. This is often the easiest way.

avataravatar
Related Articles
2 Comments
  1. steve tretakis 3 years ago

    How about a walkthrough on getting symbols configured for this? I have symbols working for procexp but this is driving me nuts

    Reply
  2. Author
    Sami Laiho (Rank 2) 3 years ago

    I will try to do that! 

    The answer is to always use the _NT_SYMBOL_PATH variable.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account