Читаем Windows® Internals, Sixth Edition, Part 2 полностью

To limit the amount of disk space that is taken up by crash dumps, Windows needs to determine whether it should maintain a copy of the last kernel or complete dump. After reporting the kernel fault (described later), Windows uses the following algorithm to decide if it should keep the Memory.dmp file. If the system is a server, Windows will always store the dump file. On a Windows client system, only domain-joined machines will store a crash dump by default. For a non-domain-joined machine, Windows will maintain a copy of the crash dump only if there is more than 25 GB of free disk space on the destination volume—that is, the volume where the system is configured to write the Memory.dmp file. If the system, due to disk space constraints, is unable to keep a copy of the crash dump file, an event is written to the System event log indicating that the dump file was deleted, as shown in Figure 14-5. This behavior can be overridden by creating the DWORD registry value HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\AlwaysKeepMemoryDump and setting it to 1, in which case Windows will always keep a crash dump, regardless of the amount of free disk space.

Figure 14-5. Dump file deletion event log entry

EXPERIMENT: Viewing Dump File Information

Each crash dump file contains a dump header that describes the stop code and its parameters, the type of system the crash occurred on (including version information), and a list of pointers to important kernel-mode structures required during analysis. The dump header also contains the type of crash dump that was written and any information specific to that type of dump. The .dumpdebug debugger command can be used to display the dump header of a crash dump file. For example, the following output is from a crash of a system that was configured for a kernel (or summary) dump:0: kd> .dumpdebug ----- 64 bit Kernel Summary Dump Analysis DUMP_HEADER64: MajorVersion 0000000f MinorVersion 00001db1 KdSecondaryVersion 00000000 DirectoryTableBase 00000001`ad6a2000 PfnDataBase fffffa80`00000000 PsLoadedModuleList fffff800`02a47670 PsActiveProcessHead fffff800`02a29350 MachineImageType 00008664 NumberProcessors 00000002 BugCheckCode 000000d1 BugCheckParameter1 fffff8a0`027475c0 BugCheckParameter2 00000000`00000002 BugCheckParameter3 00000000`00000000 BugCheckParameter4 fffff880`0343a361 KdDebuggerDataBlock fffff800`029f30a0 SecondaryDataState 00000000 ProductType 00000001 SuiteMask 00000110 SUMMARY_DUMP64: DumpOptions 504d4453 HeaderSize 00049000 BitmapSize 00230000 Pages 000151f0 Bitmap.SizeOfBitMap 00230000 KiProcessorBlock at fffff800`02ab1c40 2 KiProcessorBlock entries: fffff800`029f4e80 fffff880`009ec180

The .enumtag command displays all secondary dump data stored within a crash dump. For each callback of secondary data, the tag, the length of the data, and the data itself (in byte and ASCII format) are displayed. Developers can utilize Debugger Extension APIs to create custom debugger extensions to also read secondary dump data. (See the Debugging Tools for Windows help file for more information.)0: kd> .enumtag {270A33FD-3DA6-460D-BA893C1BAE21E39B} - 0xfc8 bytes 09 00 00 00 00 00 00 00 48 00 00 00 13 00 00 00 ........H....... 48 08 00 00 14 00 00 00 C8 0F 00 00 15 00 00 00 H............... C8 0F 00 00 17 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 EF B2 01 00 00 00 00 00 ................ ...

Crash Dump Generation

When the system boots, it checks the crash dump options configured by reading the HKLM\SYSTEM\CurrentControlSet\Control\CrashControl registry key. If a dump is configured, it makes a copy of the disk miniport driver used to write to the volume in memory and gives it the same name as the miniport with the word “dump_” prefixed. The system also queries the DumpFilters value for any filter drivers that are required for writing to the volume, an example being Dumpfve.sys, the BitLocker Drive Encryption Crashdump Filter driver. (See Chapter 9, for more details on BitLocker Drive Encryption.) It also collects information related to the components involved with writing a crash dump—including the name of the disk miniport driver, the I/O manager structures that are necessary to write the dump, and the map of where the paging file is on disk—and saves two copies of the data in dump-context structures.