Minidump Files

[Bill Bradshaw]

I am trying to setup Windows 7 Pro SP1 to record minidumps in the
directory of my choice. All I get are kernel dumps and they are not in
the directory I want them in. I have gone to Crashdumps in the registry
and the directory I want the dumps placed in is listed properly. So it
is giving me dumps just not minidumps. I have been searching the web
and my registry settings seem to be correct. I am looking for any and
all help. Thanks.

 

[Dave-UK]

I am trying to setup Windows 7 Pro SP1 to record minidumps in the
directory of my choice. All I get are kernel dumps and they are not in
the directory I want them in. I have gone to Crashdumps in the registry
and the directory I want the dumps placed in is listed properly. So it
is giving me dumps just not minidumps. I have been searching the web
and my registry settings seem to be correct. I am looking for any and
all help. Thanks.

I haven't got any registry entries called Crashdumps so can't
help you there but what happens when you edit the path here :

Right-click Computer > Properties > Advanced system settings.
Where it says 'Write debugging information' select Small memory dump (128KB)
from the drop-down menu and then edit the path.

When I edit my path as above the new path is listed here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\MiniDumpDir

 

[Dave-UK]

I haven't got any registry entries called Crashdumps so can't
help you there but what happens when you edit the path here :

Right-click Computer > Properties > Advanced system settings.
Where it says 'Write debugging information' select Small memory dump (128KB)
from the drop-down menu and then edit the path.

When I edit my path as above the new path is listed here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\MiniDumpDir

I forgot a step:
Right-click Computer > Properties > Advanced system settings > Startup and Recovery > Settings.

 

[Bill Bradshaw]

I have done this many many times.

Here is where the crashdumps end up: (I can not find any reference to
this subdirectory in the registry.)

C:\Documents and Settings\Bill-Samsung\AppData\Local\CrashDumps (The
file sizes are about 17 megs)

Here are the registry settings:

AutoReboot 1
CrashDumpEnabled 3
DumpFile C:\MiniDump\MEMORY.DMP
DumpFilters dumpfve.sys
LogEvent 1
MinidumpDir C:\MiniDump\
MinidumpsCount 50
Overwrite 1

Is there a registry setting windows uses to determine if it should do a
minidump or kernel dump? (I am going to see what happens if I change
CrashDumpEnabled form 3 to 2.)

It is really strange that something so simple is not working.

<Bill>

 

[Paul]

I have done this many many times.

Here is where the crashdumps end up: (I can not find any reference to
this subdirectory in the registry.)

C:\Documents and Settings\Bill-Samsung\AppData\Local\CrashDumps (The
file sizes are about 17 megs)

Here are the registry settings:

AutoReboot 1
CrashDumpEnabled 3
DumpFile C:\MiniDump\MEMORY.DMP
DumpFilters dumpfve.sys
LogEvent 1
MinidumpDir C:\MiniDump\
MinidumpsCount 50
Overwrite 1

Is there a registry setting windows uses to determine if it should do a
minidump or kernel dump? (I am going to see what happens if I change
CrashDumpEnabled form 3 to 2.)

It is really strange that something so simple is not working.

<Bill>

This article looks pretty good.

http://support.microsoft.com/kb/254649

Perhaps it's the ownership of the folder that is a problem ?

For testing it, there are some ideas here.

http://www.wintellect.com/CS/blogs/...capture-a-minidump-let-me-count-the-ways.aspx

Paul

 

[Yousuf Khan]

I have done this many many times.

Here is where the crashdumps end up: (I can not find any reference to
this subdirectory in the registry.)

C:\Documents and Settings\Bill-Samsung\AppData\Local\CrashDumps (The
file sizes are about 17 megs)

I wonder if the folder it actually ends up in is a hard link to the
c:\minidumps folder that you expect it to end up in? Such as an NTFS
hardlink or junction point? Also "c:\documents and settings" is an old
structure name from the XP days, in Windows 7 it should be "c:\users".

NTFS symbolic link - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/NTFS_symbolic_link

Yousuf Khan

 

[Bill Bradshaw]

I have had back off on this for a day. C:\MiniDumps directory was
created by me. I looked at wikipedia and wonder how you can tell if
this is happening. This is a Samsung laptop and I wonder if it is
running some software that sets the crashdump location in case a
diagnostics is required.

<Bill>

 

[Yousuf Khan]

I have had back off on this for a day. C:\MiniDumps directory was
created by me. I looked at wikipedia and wonder how you can tell if
this is happening. This is a Samsung laptop and I wonder if it is
running some software that sets the crashdump location in case a
diagnostics is required.

<Bill>

You might want to try testing this some more by creating your own fake
crashes. It's for XP, but it might work on W7 too.

How To Fake a Blue Screen of Death
http://pcsupport.about.com/od/tipstricks/ht/makebsodxp.htm

Yousuf Khan

 

[Bill Bradshaw]

The following is from Process Monitor. Anybody see anything that holds
a clue my issue?

9610 3:12:21.5141264 PM WerFault.exe 6008 Thread Exit SUCCESS Thread
ID: 4036, User Time: 0.0000000, Kernel Time: 0.0000000
9611 3:12:21.5141853 PM WerFault.exe 6008 RegOpenKey
HKLM\Software\Microsoft\SQMClient\Windows\DisabledProcesses SUCCESS
Desired Access: Read
9612 3:12:21.5142152 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6FD5A890
NAME NOT FOUND Length: 24
9613 3:12:21.5142251 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses SUCCESS
9614 3:12:21.5142351 PM WerFault.exe 6008 RegOpenKey
HKLM\Software\Microsoft\SQMClient\Windows\DisabledSessions SUCCESS
Desired Access: Read
9615 3:12:21.5142546 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
SUCCESS Type: REG_QWORD, Length: 8, Data:
9616 3:12:21.5142931 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions SUCCESS
9617 3:12:21.5143026 PM WerFault.exe 6008 RegOpenKey
HKLM\Software\Microsoft\SQMClient\Windows\DisabledSessions SUCCESS
Desired Access: Read
9618 3:12:21.5143166 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
NAME NOT FOUND Length: 24
9619 3:12:21.5143261 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions SUCCESS
9620 3:12:21.5145014 PM WerFault.exe 6008 QueryNameInformationFile
E:\Downloads\PGOffline\pg-offline-4-r263\PG Offline\bin\Release\PG
Offline.exe SUCCESS Name: \Downloads\PGOffline\pg-offline-4-r263\PG
Offline\bin\Release\PG Offline.exe
9621 3:12:21.5145290 PM WerFault.exe 6008 RegOpenKey
HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9622 3:12:21.5145544 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9623 3:12:21.5145671 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\DumpFolder NAME NOT FOUND Length: 144
9624 3:12:21.5145798 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9625 3:12:21.5145888 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9626 3:12:21.5146006 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\DumpCount NAME NOT FOUND Length: 144
9627 3:12:21.5146096 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9628 3:12:21.5146182 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9629 3:12:21.5146296 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\DumpType NAME NOT FOUND Length: 144
9630 3:12:21.5146382 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9631 3:12:21.5146463 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9632 3:12:21.5146576 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\CustomDumpFlags NAME NOT FOUND Length: 144
9633 3:12:21.5146663 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9634 3:12:21.5146749 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9635 3:12:21.5146857 PM WerFault.exe 6008 RegQueryValue
HKLM\SOFTWARE\Microsoft\Windows\Windows Error
Reporting\LocalDumps\SuppressOnDebugger NAME NOT FOUND Length: 144
9636 3:12:21.5146943 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9637 3:12:21.5147020 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9638 3:12:21.5147111 PM WerFault.exe 6008 RegOpenKey
HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS Desired Access: Query Value
9639 3:12:21.5147260 PM WerFault.exe 6008 RegOpenKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\PG
Offline.exe NAME NOT FOUND Desired Access: Query Value
9640 3:12:21.5147369 PM WerFault.exe 6008 RegCloseKey
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
SUCCESS
9641 3:12:21.5148809 PM WerFault.exe 6008 CreateFile C:\Users\Bill -
Samsung\AppData\Local\CrashDumps NAME COLLISION Desired Access: Read
Data/List Directory, Synchronize, Disposition: Create, Options:
Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: N,
ShareMode: Read, Write, AllocationSize: 0
9642 3:12:21.5150095 PM WerFault.exe 6008 CreateFile C:\Users\Bill -
Samsung\AppData\Local\CrashDumps SUCCESS Desired Access: Read Data/List
Directory, Synchronize, Disposition: Open, Options: Directory,
Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
Delete, AllocationSize: n/a, OpenResult: Opened
9643 3:12:21.5150390 PM WerFault.exe 6008 QueryDirectory C:\Users\Bill -
Samsung\AppData\Local\CrashDumps\*.dmp SUCCESS Filter: *.dmp, 1: PG
Offline.exe.1480.dmp
9644 3:12:21.5150761 PM WerFault.exe 6008 QueryDirectory C:\Users\Bill -
Samsung\AppData\Local\CrashDumps SUCCESS 0: PG Offline.exe.5192.dmp
9645 3:12:21.5151074 PM WerFault.exe 6008 QueryDirectory C:\Users\Bill -
Samsung\AppData\Local\CrashDumps NO MORE FILES
9646 3:12:21.5151205 PM WerFault.exe 6008 CloseFile C:\Users\Bill -
Samsung\AppData\Local\CrashDumps SUCCESS
9647 3:12:21.5152577 PM WerFault.exe 6008 CreateFile C:\Users\Bill -
Samsung\AppData\Local\CrashDumps\PG Offline.exe.4876.dmp SUCCESS Desired
Access: Write Data/Add File, Read Attributes, Synchronize, Disposition:
Create, Options: Synchronous IO Non-Alert, Non-Directory File,
Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created

<Bill>

 

[Paul]

The following is from Process Monitor. Anybody see anything that holds
a clue my issue?

9610 3:12:21.5141264 PM WerFault.exe 6008 Thread Exit SUCCESS Thread
ID: 4036, User Time: 0.0000000, Kernel Time: 0.0000000

Create, Options: Synchronous IO Non-Alert, Non-Directory File,
Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created

<Bill>

What would help, is knowing how you got there. What did you
use to trigger the analysis of WerFault ?

For reference, I checked my WinXP system, and it has files
such as "Mini020609-02.dmp". Using dumpchk on them, they
appear to be system crashes caused by my old PCI sound card.
So they look like a kernel event, rather than a problem with
a program exiting.

On the Windows 7 machine, I tried Task Manager, right clicked
a program in the process list, then selected the option to
create a dump. I tried that on a copy of notepad. The
resulting "notepad.DMP" file was 47MB (hardly "mini")
and when fed into dumpchk.exe, didn't look the same as
my other mini*-.dmp files.

I also wrote a 32 bit program in C and compiled with mingw (as
djgpp has 16 bit code in it), then carried the resulting program
over to the Win7 x64 laptop to test it. When the program was run
from a Command Prompt window, an error dialog popped up, with a
button you could click to list the error message (basically a
segmentation violation, as I made the program try to dereference
a zeroed pointer). The error dialog on the screen, provided a
short register dump, but no .dmp file was created.

(0xC0000005 "access violation" causes by attempting to dereference location 0x0)

http://img854.imageshack.us/img854/2782/crashzero.gif

If I'd used a Sysinternals program like "notmyfault", I could
probably crash the kernel and create a STOP error, and that should
generate a file. But I'm not planning on doing that right yet.
Is that what you're trying to do, catch a kernel/driver fault ?

Paul

 

[Bill Bradshaw]

A new version of PGOffline (www.PGOffline.com) which is a offline reader
for Yahoo Egroups is being developed. So I am trying to help them with
debugging of the program. Instead sending in full dumps I would like to
send in mini dumps. I used Sysinternals Process Monitor program to get
the list. Since I am running their program I have no idea what will
throw a fault. It might help me if I could figure out where Werfault is
getting the information for the subdirectory it is saving the dump files
in. Unfortunately I can not figure it out. I have searched the
registry, every file on my computer, etc. to see if I could find a
string containing CrashDumps but so far no luck.

<Bill>

 

[Paul]

A new version of PGOffline (www.PGOffline.com) which is a offline reader
for Yahoo Egroups is being developed. So I am trying to help them with
debugging of the program. Instead sending in full dumps I would like to
send in mini dumps. I used Sysinternals Process Monitor program to get
the list. Since I am running their program I have no idea what will
throw a fault. It might help me if I could figure out where Werfault is
getting the information for the subdirectory it is saving the dump files
in. Unfortunately I can not figure it out. I have searched the
registry, every file on my computer, etc. to see if I could find a
string containing CrashDumps but so far no luck.

<Bill>

There is an application here, which can create dumps.
But it doesn't make clear what flavor it creates. Give this a try.
(I haven't tried this yet.)

(Sysinternals ProcDump)
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

-e Write a dump when the process encounters an unhandled
exception. Include "-e 1" to create dump on first chance exceptions.

Paul

 

[Paul]

There is an application here, which can create dumps.
But it doesn't make clear what flavor it creates. Give this a try.
(I haven't tried this yet.)

(Sysinternals ProcDump)
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

-e Write a dump when the process encounters an unhandled
exception. Include "-e 1" to create dump on first chance exceptions.

Paul

Latest progress.

I tried out the ProcDump program, but what I'm finding is WerFault seems
to intercept the event, and prevents ProcDump from actually dumping
the error with stack traces and so on.

If I do this with ProcDump, it triggers a dump as soon as my test program
begins to run. I actually got a small dump file (about 90KB) placed in
the current working directory. (I used two command prompt windows,
ran ProcDump in -w "Wait" mode, while I ran the crashzero.exe program
in the other command prompt window. The "Wait" option is needed because
otherwise procdump tells you there's nothing to attach to.)

procdump -accepteula -w -n 1 crashzero.exe crashzero.dmp [Useless output file]

Now, if I ask procdump to wait, and wait for the first error it
finds (-e 1), then werfault "lets the air out of its tires" and I get
nothing. The programs are very polite, but no output results.

procdump -accepteula -w -n 1 -e 1 crashzero.exe crashzero.dmp [No output file]

I checked with procmon, and got a similar log to what you were seeing.
A reference to a file that might be used for dumping, and then... nothing.

Next, I tried doing a web search, using the names of the guilty parties, and
found this article (written by the Sysinternals guy).

http://blogs.technet.com/b/markrussinovich/archive/2008/06/02/3065065.aspx

At the bottom of that article, it says:

"If you create a key named

HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps

WerFault will always save a dump. Crashes go by default into
%LOCALAPPDATA%\Crashdumps, but you can override that with a
Registry value and also specify a limit on the number of crashes WerFault
will keep."

Found this as well.

http://msdn.microsoft.com/en-us/library/bb787181(VS.85).aspx

And once I set my Win7 registry to look like this, I finally
got a dump out of WerFault. I had to add a key on the left.

http://img88.imageshack.us/img88/8592/regwerfault.gif

I'm not even sure I had to add a DumpType. I think it started
working before that, but I just didn't notice it was dumping files.
I popped the resulting file into dumpchk.exe and it looked
suitably useless to me (at least I could see the 0xC0000005
access error). So it didn't strike me as being as nice looking
as some other dumps I've looked at. But at least the size
of the collected file was small (89KB).

Paul

 

[Bill Bradshaw]

The msdn site was a great find. I now have my dump files being placed
where I wanted them. The 17 meg files I was getting are minidump files.
What was confusing me was that when opened in WinDbg there was not much
information shown. But if the file is run in Dumpchk there is all kinds
of information. I did a kernel dump and the resulting file was 273 megs
so I am definitely not going to be sending one of them in. I may spend
some more time with WinDbg to see if I am doing something wrong. Thanks
for the extraordinary amount of effort on your part.
--
<Bill>

Brought to you from Anchorage, Alaska.

There is an application here, which can create dumps.
But it doesn't make clear what flavor it creates. Give this a try.
(I haven't tried this yet.)

(Sysinternals ProcDump)
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

-e Write a dump when the process encounters an unhandled
exception. Include "-e 1" to create dump on first chance
exceptions. Paul

Latest progress.

I tried out the ProcDump program, but what I'm finding is WerFault
seems to intercept the event, and prevents ProcDump from actually
dumping
the error with stack traces and so on.

If I do this with ProcDump, it triggers a dump as soon as my test
program begins to run. I actually got a small dump file (about 90KB)
placed in
the current working directory. (I used two command prompt windows,
ran ProcDump in -w "Wait" mode, while I ran the crashzero.exe program
in the other command prompt window. The "Wait" option is needed
because otherwise procdump tells you there's nothing to attach to.)

procdump -accepteula -w -n 1 crashzero.exe crashzero.dmp
[Useless output file]
Now, if I ask procdump to wait, and wait for the first error it
finds (-e 1), then werfault "lets the air out of its tires" and I get
nothing. The programs are very polite, but no output results.

procdump -accepteula -w -n 1 -e 1 crashzero.exe crashzero.dmp [No
output file]
I checked with procmon, and got a similar log to what you were seeing.
A reference to a file that might be used for dumping, and then...
nothing.
Next, I tried doing a web search, using the names of the guilty
parties, and found this article (written by the Sysinternals guy).

http://blogs.technet.com/b/markrussinovich/archive/2008/06/02/3065065.aspx

At the bottom of that article, it says:

"If you create a key named

HKLM\Software\Microsoft\Windows\Windows Error
Reporting\LocalDumps
WerFault will always save a dump. Crashes go by default into
%LOCALAPPDATA%\Crashdumps, but you can override that with a
Registry value and also specify a limit on the number of crashes
WerFault will keep."

Found this as well.

http://msdn.microsoft.com/en-us/library/bb787181(VS.85).aspx

And once I set my Win7 registry to look like this, I finally
got a dump out of WerFault. I had to add a key on the left.

http://img88.imageshack.us/img88/8592/regwerfault.gif

I'm not even sure I had to add a DumpType. I think it started
working before that, but I just didn't notice it was dumping files.
I popped the resulting file into dumpchk.exe and it looked
suitably useless to me (at least I could see the 0xC0000005
access error). So it didn't strike me as being as nice looking
as some other dumps I've looked at. But at least the size
of the collected file was small (89KB).

Paul

 

[Yousuf Khan]

A new version of PGOffline (www.PGOffline.com) which is a offline reader
for Yahoo Egroups is being developed. So I am trying to help them with
debugging of the program. Instead sending in full dumps I would like to
send in mini dumps. I used Sysinternals Process Monitor program to get
the list. Since I am running their program I have no idea what will
throw a fault. It might help me if I could figure out where Werfault is
getting the information for the subdirectory it is saving the dump files
in. Unfortunately I can not figure it out. I have searched the
registry, every file on my computer, etc. to see if I could find a
string containing CrashDumps but so far no luck.

Oh, I think we must've been under a misunderstanding all of this time,
you're looking for an application dump from Windows, not a core dump
which is when the whole operating system crashes.

According to this, WER is always involved in collecting the application
crash dumps, you can only collect the dumps from WER's repository and
send them to the developers using programs from Microsoft's Visual
Studio to send copies of of the WER files.

Crash Dump Analysis
http://msdn.microsoft.com/en-us/library/windows/desktop/ee416349(v=vs.85).aspx

But with Windows Vista & 7, you can redirect the location of the
application crash files by making the changes in the registry described
here:

Collecting User-Mode Dumps
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx

Yousuf Khan