Windows Kernel Debugging: Crash dump

Crash dump Bsod

What to do if you see the Blue Screen of Death again? Microsoft’s statistics indicate that at least 70% of blue screen instances are caused by incorrect driver implementation. Unfortunately, the flawless implementation of the operating system kernel module is a difficult and responsible task. If you have ever wanted to look under the hood of the Windows operating system, identify a problematic driver or are looking for a rootkit hiding in kernel space, I invite you to read the article.

1. Introduction

In the Windows operating system there is an implementation of the mechanism that dumps memory into file. The article presents specific properties of individual types of memory dump files. In addition, ways of configuring the mechanism for performing memory dumps and triggering the operation of this mechanism are indicated. The last part presents an example that guides an user of the Windows operating system through the steps of basic analysis of a memory dump. As a result of the analysis, the operating system module was identified and the path to the executable file from which the module is loaded was revealed.

2. Memory dump file

Memory dump file (aka crash dump) is a snapshot of the operating system state at the time this dump was taken. Contains saved processor context and content of physical memory.

The types of memory dumps include:

3. Managing memory dump creation

The Windows administrator has the right to manage the mechanism responsible for creating memory dumps. He can use his permissions in several ways, the most convenient methods are:

Crash dump Registry config

4. Performing a memory dump

4.1 Dump initiated manually

The memory dump takes place as a result of entering a key combination [Key 1] + [Key 2] + [Key 2]

To configure this method of performing a memory dump:

  1. Run Device Manager or the command devmgmt.msc

  2. Find the keyboard you are using and launch the Properties window.

  3. Then, in the Driver tab, select Driver Details

Crash dump Devmgmt Properties

  1. In the Driver File Details window, read the name of the keyboard driver, e.g. i8042prt

Crash dump Driver File Details

  1. Run the Registry Editor or the command regedit

  2. Create a key




  1. Add three 32-bit DWORD values to the key you created:
CrashOnCtrlScroll   : 0x00
Dump1Keys           : 0x20
Dump2Key            : 0x21

Crash dump Keyboard registry config

  1. Restart the machine

After pressing the key combination Left Ctrl + d + d the BSOD will be displayed with the stop code MANUALLY_INITIATED_CRASH and a memory dump will be performed.

4.2 Dump initiated manually by the debugger

The memory dump is performed as a result of entering the debugger command


4.3 Dump initiated by error enforcement

The memory dump is performed as a result of the intended execution of the program leading to an error in the operating system.

To force an error and perform a memory dump:

  1. Run the program Not My Fault included in the Sysinternals package.

  2. In the Crash tab, select the reason for the error.

  3. Select the Crash button. After a while, the BSOD will be displayed with the associated stop code (e.g. ATTEMPTED_WRITE_TO_READONLY_MEMORY) and a memory dump will be made.

Crash dump Not My Fault

4.4 Dump initiated by error

Memory dump is performed without user intervention when Windows stops working correctly.

5. Basic crash dump analysis

To perform a basic (initial) crash dump analysis:

  1. Launch:

a) WinDBG located at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe

b) or the cdb.exe command line tool:

C:\> "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe" -Z [DMP_FILE]


C:\> "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe" -z Z:\Mem\MEMORY.DMP
  1. Select ‘Open Crash Dump’ from File menu.

windbg file open crash dump

  1. Select the file containing the crash dump and select the ‘Open’ button.

  2. After loading the file by WinDbg or cdb.exe you should see the log:

windbg file loaded

The log of loading the file contains information about:

  1. Run the command:
!analyze -v

After executing the command, information about the type of error that occurred and a hint on how to analyze it will be printed.

windbg analyze 001

Below it will be the call stack that led to the dump, and directly indicate the module where the error occurred.

windbg analyze 002

From the sample logs it is known that the myfault module is a problem.

  1. More information about the myfault module can be obtained by entering the command:
lmvm myfault

windbg analyze 002

As a result of the command, a number of basic properties of the myfault module were obtained. One of them is the path to the executable file C:\WINDOWS\system32\drivers\myfault.sys. In this way, a specific Portable Executable file was identified, which when launched causes an unrecoverable error in the OS.

6. Summary

The methods and tools for analyzing memory dump presented in the article allow you to perform basic analysis to identify the OS module responsible for the occurrence of an unrecoverable error in this system. Presented ways to configure the operating system components allow you to enter your own settings for creating and managing memory dumps.