Wednesday 27 February 2019

windows 7 - Should I use a "Small Memory Dump" or "Kernel Memory Dump?"


I use Memory Dumps to analyse BSODs and other crashes, and generally keep my PC set to the standard "Small Memory Dump" setting, as shown below.


enter image description here


However, there is another setting, "Kernel memory dump", avaliable as well. What's the difference between the two types of dumps, and which one is better for crash analysis?



Answer




There are basically three types of kernel-mode dump files:



Windows 8 introduced a fourth type: Automatic Memory Dump.


The main difference between them is the size: smaller dump files will get written quickly to disk and take less space; larger dump files will contain more debugging information which might be useful.


Another difference is the location and the overwriting behavior. Complete/kernel dumps are written to C:\Windows\Memory.dmp by default, overwriting the previous file (if any). Small dumps are stored in the C:\Windows\Minidump folder, and since each dump is given a different name, previous ones are preserved.


From my limited experience, I can say small dumps alone usually have enough data to diagnose basic issues. Either way, you should disable the automatic restart option. This way you can actually see the bug check technical details in case the system fails to create a memory dump.


Complete memory dump



This file includes all of the physical memory that is used by Windows. A complete memory dump does not, by default, include physical memory that is used by the platform firmware.


This dump file requires a pagefile on your boot drive that is at least as large as your main system memory; it should be able to hold a file whose size equals your entire RAM plus one megabyte.


Source: Complete Memory Dump



Kernel memory dump



This kind of dump file is significantly smaller than the Complete Memory Dump. Typically, the dump file will be around one-third the size of the physical memory on the system. Of course, this quantity will vary considerably, depending on your circumstances.


For most purposes, this crash dump is the most useful. It is significantly smaller than the Complete Memory Dump, but it only omits those portions of memory that are unlikely to have been involved in the crash.


Source: Kernel memory dump



Small memory dump



This kind of dump file can be useful when space is greatly limited. However, due to the limited amount of information included, errors that were not directly caused by the thread executing at time of crash may not be discovered by an analysis of this file.


Source: Small memory dump





-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...