Defrag Tools #179 - Manually Generating a Crash Dump

Download this episode

Download Video

Download captions

Download Captions

Description

In this episode of Defrag Tools, Andrew Richards and Chad Beeder walk through the process of manually creating a full memory dump via the keyboard. This is useful when you want to capture the state of the operating system. For example, to debug a hang.

Resources:

Forcing a System Crash from the Keyboard 

Registry files (.reg) demonstrated in this episode are on the Defrag Tools OneDrive share (ManualCrashRegistrySettings.zip)

PCI Express Dump Switch Card (if you need to use the NMI method)

PCIe NMI card

Timeline:

[00:00] Welcome and Intro
[00:57] When would you need to manually force a crash dump?
[02:42] Typically you'll want to get a Complete Memory Dump
[05:57] ...which also requires you to set a large enough page file on the C: drive (RAM size plus some additional)
[08:00] Setting up manual crash dump via CrashOnCtrlScroll (if your keyboard has a ScrollLock key)
[13:20] Discussion of keyboards and keyboard scan codes. The old Peter Norton "pink shirt" book still comes through for this!
Keyboard Scan Codes
[16:55] Once you know the scan code, you can use the Dump1Keys and Dump2Key registry settings to choose your own keyboard combo. Make sure not to use CrashOnCtrlScroll at the same time!
[25:04] The big guns: If a system is hung badly enough that keyboard crash doesn't work, you can try CrashOnNMI. Usually requires special hardware like a PCIe NMI card.
[28:34] Looking at the memory dump we just created. Bugcheck 0xE2: MANUALLY_INITIATED_CRASH

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image
      Brian Catlin

      Sound is out of sync with the video at about half way through the video

    • User profile image
      Brian Catlin

      NMI is NOT the highest priority interrupt. The x86/x64 interrupt architecture has changed significantly over the last 20 years, and there is no longer an NMI pin on the CPU. According to the Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3a, System Programming Guide, Part 1 (https://www.intel.com/Assets/en_US/PDF/manual/253668.pdf), in chapter 6.9, you'll see that NMI is third in the hierarchy (and below SMI). Clearly, the term "non-maskable" has a different meaning to the current generation of Intel designers.

    • User profile image
      ChadBeeder

      @Brian Catlin: Hmm, I looked through the video again and didn't notice any A/V sync problems.

      Yes, you're right, there are higher interrupt levels than NMI, but NMI is pretty much the highest you can get for purposes of breaking into the debugger or triggering a crash dump.

      Raymond Chen wrote a fun blog post some years back about how you could generate an NMI on any system with ISA slots by using a ball-point pen. Sadly (?) it's not this simple on modern PCs.

    • User profile image
      Chris​Kanemoto

      Thanks guys - FWIW I watched the full episode and didn't spot any lip-sync issues

    • User profile image
      kingkappa

      Thanks for the tutorial - Cheers

    • User profile image
      Niels

      If the user set CrashOnCtrlScroll before, that takes priority over the custom keys.
      If you add the following to the CrashOnLCtrlTildeTilde.reg, it removes the CrashOnCtrlScroll entry, so the .reg works as expected.

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
      "CrashOnCtrlScroll"=-

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
      "CrashOnCtrlScroll"=-

    • User profile image
      Bruce Mackenzie

      FYI - You no longer need to setup the NMICrashDump registry parameter as of Windows Server 2012. So out of the box, you can crash a Windows 2012 server without configuring the parameter and rebooting. The same is true for the new PowerShell cmdlet Debug-VM -InjectNonmaskableInterrupt on Windows 2012 R2, you can crash VMs running 2012 or later without configuring the NMICrashDump parameter. Here's the article:

      https://support.microsoft.com/en-us/help/2750146/nmi-hardware-failure-error-when-an-nmi-is-triggered-on-windows-8-and-windows-server-2012

    • User profile image
      ChadBeeder

      @Bruce Mackenzie: Great information. I deal more with client systems, so that had escaped my notice. Thanks!

    • User profile image
      ScottyKarate

      Great show!  On the topic of keyboard scan codes, I stumbled across this document a few years back while trying to make my Caps Lock key behave like the left Windows key.  I use an IBM Model M keyboard that pre-dates the Windows key but wanted Win key functionality and clicky goodness.  The linked doc has a lot of good low level information.

      Here's the reg hack I came up with.  Works like charm.

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
      "Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,5c,e0,3a,00,00,00,00,00

    Add Your 2 Cents