Creating a complete memory dump without a Blue Screen

• Author
• Recent Posts

Sami Laiho

Sami Laiho has been a Microsoft Most Valuable Professional (MVP) since 2011 and one of the world's leading IT experts for Windows and security. He has been teaching OS troubleshooting, management, and security since 1996. In 2019 TiVi-magazine chose Sami as one of the top 100 influencers in IT in Finland. For more info, go to https://samilaiho.com.

Latest posts by Sami Laiho (see all)

• Hardening AppLocker - Thu, Jun 25 2020
• AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
• Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020

You need to install the free debugging tools from Microsoft. The tools come as part of a few different kits, but I usually download the SDK.

You also need the LiveKD.exe tools from Sysinternals. I put the LiveKD.exe in a folder that is my %PATH%-variable, so I can access it anywhere. If you don't do this, you need to use the full path when you call it.

Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run LiveKD.exe, which starts the KD.exe kernel debugger (if you want to use a graphical version, you can run LiveKD.exe -w).

Running LiveKD.exe on a computer with debugging tools installed

Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):

.dump /f c:\temp\test.dmp

Creating a full memory dump from inside the Kernel Debugger

That's it! Now you have a full memory dump.

If you are running the computer you want to get the memory dump from on top of Hyper-V, you can do that easily from the host computer without touching the guest. Let's see how to do that.

This time, you need to install the debugging tools and LiveKD.exe on the host machine. The concepts are very much the same.

Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run the following command (change VM1 to the name of the virtual machine you want to get the dump from):

LiveKD.exe -hv VM1

Running LiveKD.exe on a Hyper V host computer with debugging tools installed

The funny thing about this is that it doesn't require the guest computer to be running in debugging mode.

Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):

.dump /f c:\temp\test.dmp

Creating a full memory dump from a Hyper V guest VM

You can do this even faster by just running:

LiveKD -hv <VMNAME> -p -o c:\temp\memory.dmp

Creating a full memory dump from a guest VM with a one liner

If you are running a guest VM on top of VMware, you should refer to this article, which shows you how to convert a snapshot file to a memory dump with vmss2core.exe. This is often the easiest way.