Defrag Tools #179 - Manually Generating a Crash Dump

Play Defrag Tools #179 - Manually Generating a Crash Dump
Sign in to queue


In this episode of Defrag Tools, Andrew Richards and Chad Beeder walk through the process of manually creating a full memory dump via the keyboard. This is useful when you want to capture the state of the operating system. For example, to debug a hang.


Forcing a System Crash from the Keyboard 

Registry files (.reg) demonstrated in this episode are on the Defrag Tools OneDrive share (

PCI Express Dump Switch Card (if you need to use the NMI method)

PCIe NMI card


[00:00] Welcome and Intro
[00:57] When would you need to manually force a crash dump?
[02:42] Typically you'll want to get a Complete Memory Dump
[05:57] ...which also requires you to set a large enough page file on the C: drive (RAM size plus some additional)
[08:00] Setting up manual crash dump via CrashOnCtrlScroll (if your keyboard has a ScrollLock key)
[13:20] Discussion of keyboards and keyboard scan codes. The old Peter Norton "pink shirt" book still comes through for this!
Keyboard Scan Codes
[16:55] Once you know the scan code, you can use the Dump1Keys and Dump2Key registry settings to choose your own keyboard combo. Make sure not to use CrashOnCtrlScroll at the same time!
[25:04] The big guns: If a system is hung badly enough that keyboard crash doesn't work, you can try CrashOnNMI. Usually requires special hardware like a PCIe NMI card.
[28:34] Looking at the memory dump we just created. Bugcheck 0xE2: MANUALLY_INITIATED_CRASH



The Discussion

  • User profile image
    Brian Catlin

    Sound is out of sync with the video at about half way through the video

  • User profile image
    Brian Catlin

    NMI is NOT the highest priority interrupt. The x86/x64 interrupt architecture has changed significantly over the last 20 years, and there is no longer an NMI pin on the CPU. According to the Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3a, System Programming Guide, Part 1 (, in chapter 6.9, you'll see that NMI is third in the hierarchy (and below SMI). Clearly, the term "non-maskable" has a different meaning to the current generation of Intel designers.

  • User profile image

    @Brian Catlin: Hmm, I looked through the video again and didn't notice any A/V sync problems.

    Yes, you're right, there are higher interrupt levels than NMI, but NMI is pretty much the highest you can get for purposes of breaking into the debugger or triggering a crash dump.

    Raymond Chen wrote a fun blog post some years back about how you could generate an NMI on any system with ISA slots by using a ball-point pen. Sadly (?) it's not this simple on modern PCs.

  • User profile image

    Thanks guys - FWIW I watched the full episode and didn't spot any lip-sync issues

  • User profile image

    Thanks for the tutorial - Cheers

  • User profile image

    If the user set CrashOnCtrlScroll before, that takes priority over the custom keys.
    If you add the following to the CrashOnLCtrlTildeTilde.reg, it removes the CrashOnCtrlScroll entry, so the .reg works as expected.



  • User profile image
    Bruce Mackenzie

    FYI - You no longer need to setup the NMICrashDump registry parameter as of Windows Server 2012. So out of the box, you can crash a Windows 2012 server without configuring the parameter and rebooting. The same is true for the new PowerShell cmdlet Debug-VM -InjectNonmaskableInterrupt on Windows 2012 R2, you can crash VMs running 2012 or later without configuring the NMICrashDump parameter. Here's the article:

  • User profile image

    @Bruce Mackenzie: Great information. I deal more with client systems, so that had escaped my notice. Thanks!

  • User profile image

    Great show!  On the topic of keyboard scan codes, I stumbled across this document a few years back while trying to make my Caps Lock key behave like the left Windows key.  I use an IBM Model M keyboard that pre-dates the Windows key but wanted Win key functionality and clicky goodness.  The linked doc has a lot of good low level information.

    Here's the reg hack I came up with.  Works like charm.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    "Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,5c,e0,3a,00,00,00,00,00

Add Your 2 Cents