Udostępnij za pośrednictwem

Dump file type 구분하기

  • Artykuł

Dump 파일을 받아 보면 Size 를 보고 Mini, Kernel, Full 인지를 파악할 수 있습니다.

MiniDump 의 경우 64KB 의 Size 를 가지고 있고 Full 의 경우 전체 메모리 Size 만큼이므로 512BM, 1GB, 2GB 와 같은 크기를 가지며 Kernel 의 경우 약 300MB 정도의 크기를 가지기도 합니다. 보다 확실하게 이것을 구분하는 방법은 WinDbg 로 Dump 파일을 열어 보았을때 나타나는 메시지를 가지고 판단할 수 있습니다.

아래 메시지만 가지고도 의미를 알 수 있겠죠?

Mini Kernel Dump File: Only registers and stack trace are available

Kernel Summary Dump File: Only kernel address space is available

Kernel Complete Dump File: Full address space is available

 

아래는 WinDbg 에 있는 각각의 Dump에 대한 설명 입니다.

Complete Memory Dump

A Complete Memory Dump is the largest kernel-mode dump file. This file contains all the physical memory for the machine at the time of the fault.

This dump file requires a pagefile on your boot drive that is at least as large as your main system memory: it should be able to hold a file whose size equals your entire RAM plus one megabyte.

The Complete Memory Dump file is written to %SystemRoot%\Memory.dmp by default.

If a second bug check occurs and another Complete Memory Dump (or Kernel Memory Dump) is created, the previous file will be overwritten.

 

Kernel Memory Dump

A Kernel Memory Dump contains all the memory in use by the kernel at the time of the crash.

This kind of dump file is significantly smaller than the Complete Memory Dump. Typically, the dump file will be around one-third the size of the physical memory on the system. Of course, this quantity will vary considerably, depending on your circumstances.

This dump file will not include unallocated memory, or any memory allocated to user-mode applications. It only includes memory allocated to the Windows kernel and hardware abstraction level (HAL), as well as memory allocated to kernel-mode drivers and other kernel-mode programs.

For most purposes, this crash dump is the most useful. It is significantly smaller than the Complete Memory Dump, but it only omits those portions of memory that are unlikely to have been involved in the crash.

Since this kind of dump file does not contain images of any user-mode executables residing in memory at the time of the crash, you may also need to set the executable image path if these executables turn out to be important.

The Kernel Memory Dump file is written to %SystemRoot%\Memory.dmp by default.

If a second bug check occurs and another Kernel Memory Dump (or Complete Memory Dump) is created, the previous file will be overwritten.

To suppress missing page error messages when debugging a Kernel Memory Dump, use the .ignore_missing_pages command.

 

Small Memory Dump

A Small Memory Dump is much smaller than the other two kinds of kernel-mode crash dump files. It is exactly 64 KB in size, and requires only 64 KB of pagefile space on the boot drive.

This dump file includes the following:

  • The bug check message and parameters, as well as other blue-screen data.
  • The processor context (PRCB) for the processor that crashed.
  • The process information and kernel context (EPROCESS) for the process that crashed.
  • The thread information and kernel context (ETHREAD) for the thread that crashed.
  • The kernel-mode call stack for the thread that crashed. If this is longer than 16 KB, only the topmost 16 KB will be included.
  • A list of loaded drivers.

In Windows XP and later versions of Windows, the following items are also included:

  • A list of loaded modules and unloaded modules.
  • The debugger data block. This contains basic debugging information about the system.
  • Any additional memory pages that Windows identifies as being useful in debugging failures. This includes the data pages that the registers were pointing to when the crash occurred, and other pages specifically requested by the faulting component.
  • (Intel Itanium processor only) The backing store.
  • (Windows Server 2003 and later) The Windows SKU — for example, "Professional" or "Server".

This kind of dump file can be useful when space is greatly limited. However, due to the limited amount of information included, errors that were not directly caused by the thread executing at time of crash may not be discovered by an analysis of this file.

Since this kind of dump file does not contain images of any executables residing in memory at the time of the crash, you may also need to set the executable image path if these executables turn out to be important.

If a second bug check occurs and a second Small Memory Dump file is created, the previous file will be preserved. Each additional file will be given a distinct name, which contains the date of the crash encoded in the filename. For example, mini022900-01.dmp is the first memory dump file generated on February 29, 2000. A list of all Small Memory Dump files is kept in the directory %SystemRoot%\Minidump.

Comments

  • Anonymous
    November 11, 2008
    The comment has been removed