How to read the small memory dump files that Windows creates for debugging (315263)

SUMMARY

This step-by-step article describes how to examine a small memory dump file. You can use this file to determine why your computer has stopped responding.

back to the top

Small memory dump files

A small memory dump file records the smallest set of useful information that may help identify why your computer has stopped unexpectedly. This option requires a paging file of at least 2 megabytes (MB) on the boot volume. On computers that are running Microsoft Windows 2000 or later, Windows create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.

This dump file type includes the following information:

• The Stop message and its parameters and other data
• A list of loaded drivers
• The processor context (PRCB) for the processor that stopped
• The process information and kernel context (EPROCESS) for the process that stopped
• The process information and kernel context (ETHREAD) for the thread that stopped
• The Kernel-mode call stack for the thread that stopped

The small memory dump file can be useful when hard disk space is limited. However, because of the limited information that is included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

If a second problem occurs and if Windows creates a second small memory dump file, Windows preserves the previous file. Windows gives each file a distinct, date-encoded file name. For example, Mini022900-01.dmp is the first memory dump file that was generated on February 29, 2000. Windows keeps a list of all the small memory dump files in the %SystemRoot%\Minidump folder.

back to the top

Configure the dump type

To configure startup and recovery options to use the small memory dump file, follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System.
3. Click the Advanced tab, and then click Settings under Startup and Recovery.
4. In the Write debugging information list, click Small memory dump (64k).
   
   To change the folder location for the small memory dump files, type a new path in the Dump File box (or in the Small dump directory box, depending on your version of Windows).

back to the top

Tools to read the small memory dump file

You can load small memory dump files by using the Dump Check Utility (Dumpchk.exe). You can also use Dumpchk.exe to verify that a memory dump file has been created correctly. The Dump Check Utility does not require access to debugging symbols. The Dump Check Utility is included with the Microsoft Windows 2000 Support Tools and the Microsoft Windows XP Support Tools.

For additional information about how to use the Dump Check Utility in Windows 2000 and in Windows NT, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about how to use the Dump Check Utility in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base: Note The Dump Check Utility is not included in the Microsoft Windows Server 2003 Support Tools. To obtain the Dump Check Utility if you are using Microsoft Windows Server 2003, download and install the Debugging Tools for Windows package from the following Microsoft Web site: You can also read small memory dump files by using the WinDbg tool or the KD.exe tool. WinDbg and KD.exe are included with the latest version of the Debugging Tools for Windows package.
This Web page also provides access to the downloadable symbol packages for Windows. To use the resources, create a folder on the disk drive where the downloaded local symbols or the symbol cache for symbol server use will reside. For example, use C:\Symbols. You can use the following symbol path with all the commands that are described in this article: If you download the symbols to a local folder, use the path of that folder as your symbol path.

For more information about the dump file options in Windows, click the following article number to view the article in the Microsoft Knowledge Base: back to the top

Install the debugging tools

To download and install the Windows debugging tools, visit the following Microsoft Web site: Select the Typical installation. By default, the installer installs the debugging tools in the following folder: back to the top

Open the dump file

To open the dump file after the installation is complete, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Change to the Debugging Tools for Windows folder. To do this, type the following at the command prompt, and then press ENTER:

   cd c:\program files\debugging tools for windows

3. To load the dump file into a debugger, type one of the following commands, and then press ENTER:

   windbg -y SymbolPath -i ImagePath -z DumpFilePath

   kd -y SymbolPath -i ImagePath -z DumpFilePath

The following table explains the use of the placeholders that are used in these commands.

Placeholder	Explanation
SymbolPath	Either the local path where the symbol files have been downloaded or the symbol server path, including a cache folder. Because a small memory dump file contains limited information, the actual binary files must be loaded together with the symbols for the dump file to be correctly read.
ImagePath	The path of these files. The files are contained in the I386 folder on the Windows XP CD-ROM. For example, the path may be C:\Windows\I386.
DumpFilePath	The path and file name for the dump file that you are examining.

Sample Commands

You can use the following sample commands to open the dump file. These commands assume the following:

• The contents of the I386 folder on the Windows CD-ROM are copied to the C:\Windows\I386 folder.
• Your dump file is named C:\Windows\Minidump\Minidump.dmp.

Sample 1: Sample 2. If you prefer the graphical version of the debugger instead of the command line version, type the following command instead: back to the top

Examine the dump file

There are several commands that you can use to gather information in the dump file, including the following commands:

• The !analyze -show command displays the Stop error code and its parameters. The Stop error code is also known as the bug check code.
• The !analyze -v command displays verbose output.
• The lm N T command lists the specified loaded modules. The output includes the status and the path of the module.

Note The !drivers extension command displays a list of all drivers that are loaded on the destination computer, together with summary information about their memory use. The !drivers extension is obsolete in Windows XP and later. To display information about loaded drivers and other modules, use the lm command. The lm N T command displays information in a format that is similar to the old !drivers extension.

For help with other commands and for complete command syntax, see the debugging tools Help documentation. The debugging tools Help documentation can be found in the following location: Note If you have symbol-related issues, use the Symchk utility to verify that the correct symbols are loaded correctly. For additional information about using Symchk, click the following article number to view the article in the Microsoft Knowledge Base:

Simplify the commands by using a batch file

After you identify the command that you must have to load memory dumps, you can create a batch file to examine a dump file. For example, create a batch file and name it Dump.bat. Save it in the folder where the debugging tools are installed. Type the following text in the batch file: When you want to examine a dump file, type the following command to pass the dump file path to the batch file: back to the top