3

If I understand correctly, when a bug-check happens, the KeBugCheckEx function saves the contents of physical memory pages in a swap-file and then the actual .dmp file is created only when the system boots back up.

Which NT function is used to save the .dmp file during the boot? And is it in ntoskrnl or in crashdmp.sys?

I also wonder if the same function is responsible for creating different types of crash dump files, i.e. full dump, kernel dump, small dump, live kernel dump?

Improve this question

1 Answer 1

Reset to default
4

The minidumps are generated in ntoskrnl.exe by IoWriteCrashDump, called from KeBugCheck2.

Improve this answer
4
  • 1
    Thanks. I wonder if the format of that minidump file was reversed by anyone before? Commented Sep 8, 2024 at 21:02
  • @c00000fd absolutely, the structures are for the most part also documented. This may be of relevance for your question/comment. Commented Sep 11, 2024 at 11:02
  • @joxeankoret are you certain that this already creates all the actual dump structures? To the best of my knowledge the dump is written upon next reboot as outlined in the question. But I admittedly never booted a Windows machine into Linux (or so) between a bug check and the reboot. So I don't know. Commented Sep 11, 2024 at 11:04
  • This answer is wrong. The actual .dmp file is created in user mode after a reboot by the smss.exe process as a part of initializing the page file. smss!SmpCheckForCrashDump has something to do with it. I need to check it further. Commented Oct 9, 2024 at 12:04

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.