Udostępnij za pośrednictwem

How to trigger a full memory dump based on a user mode process exception

  • Artykuł

Scenario: You have something kernel related triggering crashes of user mode processes (you think). You are trying to prove it. You're told you need a full memory dump of the system at time of the crash of the user mode process.

How to do it?

Glad you asked! <edit>

(to back this out, delete the task, if something goes wrong and it boots in a crash loop, booting in safe mode should stop it too)

Step .5: Logon with an administrative rights account.  :)

Step 1: Follow KB969028 so you are configured properly for a full memory dump.

Step 2: Download NotMyFault from here. Unzip to C:\notmyfault. Unblock the exe and sys files (if needed) by right clicking and selecting properties then selecting "Un-block":

Step 3: Run task scheduler and select "Create Basic Task..." in the right Actions pane:

Step 4: Give your basic task a clever name. Mine is 'crashme'. Click next.

Step 5: Answer the radio button question with "When a specific event is logged". See where I'm going with this?

Step 6: Set Log to Application, Source to Application Error and Event ID to 1000, as seen below:

Select Next.

Step 7: Select Next as we want "Start a program" selected and it's the default.

Step 8: Browse to C:\notmyfault\x<your system architecture here>\NotMyFault.exe. Add /crash as your argument and Start in should be "C:\notmyfault\<xwhatever>. As seen below for x64:

Select Next.

Step 9: check the box to open the task properties and click Finish.

Step 10: Check the box "run with highest privileges" and on the Settings tab uncheck "Stop the task if it runs longer than" box and click Ok.

Step 11: Wait for your app to crash. Enjoy.

Comments

  • Anonymous
    November 04, 2015
    This requires administrator rights, I think it goes without saying...
  • Anonymous
    November 04, 2015
    Now you tell me after I tried with a guest account , this is very helpful information will try out
  • Anonymous
    November 04, 2015
    Will try out shortly and see if I force crash an app, maybe outlook and see the results then use it in the office on one desktop
  • Anonymous
    November 04, 2015
    The comment has been removed
  • Anonymous
    November 04, 2015
    Hm strange. Did this on Win7. Let me check if there are more settings to disable on 8/10.

  • Anonymous
    November 04, 2015
    Or do you mean it worked as expected? Maybe I misunderstood? Feel free to send an email (jeff.stokes@microsoft.com) if you are having issues.
  • Anonymous
    November 04, 2015
    The comment has been removed