How to configure a computer to capture a complete memory dump

  • Article ID: 111474
  • Rating:
  • 15 customers rated this article 5.3 out of 6
  • Updated: 15 May 2013

This article explains how to setup your computer so that a 'Complete memory dump' file will be created if the computer crashes.  It also provides advice on how to compress the file for submission to Sophos Technical Support and generating a checksum of the file.

A complete memory dump is one of three possible computer memory dumps.  For more information on types of memory dumps see the Technical Information section at the bottom of this article.

Important:

Known to apply to the following Sophos product(s) and version(s)

Not product specific

What To Do

The instructions below explain the basic steps for enabling a complete memory dump on a Windows 7 computer.  The instructions are similar for other Windows operating systems.

Note: If you are attempting to generate a complete memory dump on computer running a server operating system read the following Microsoft article before continuing: How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2.

Configuring a computer for a 'Complete memory dump'

  1. Open the computer's System Properties dialog (Start | Run | Type: sysdm.cpl | Press return).


  2. Select the 'Advanced' tab.


  3. Under the section 'Startup and Recovery' select the 'Settings...' button.


  4. Under the section 'System failure' | 'Write debugging information' from the drop down menu select 'Complete memory dump' (if the option is missing see the section How do I enable the 'Complete memory dump' option? below).


  5. Click 'OK' to confirm the change.

  6. You must restart the computer for the change to take effect.

The computer will now write the entire contents of the computer's RAM to a dump file if a system crash occurs.

How do I enable the 'Complete memory dump' option?

If the 'Complete memory dump' option is missing from the drop down menu follow the steps below to enable it.

Warning: The steps below involve editing the Windows registry. Read the registry warning in article 10388 if you are unfamiliar with the registry editor and/or do not have a recent backup.

  1. Open the registry editor (Start | Run | Type: regedit.exe | Press return).
  2. Expand the left-hand tree and select the following key:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
  3. In the right-hand panel double-click the data value CrashDumpEnabled to edit it
  4. Change the value to '1'.
    For more information on the CrashDumpEnabled data value see Microsoft TechNet: CrashDumpEnabled.
  5. Click 'OK'.
  6. Restart the computer.

The 'Complete memory dump' option is now enabled and can be selected from the System Properties menu as described in the section Configuring a computer for a 'Complete memory dump' above.

Compress the file for upload

A complete memory dump can generate a large file and therefore it is recommended that the file is compressed (e.g., 'zipped up') before transferring from the source computer and/or submitting to Sophos Technical Support.

If you require further information and instructions for compressing the dump file see article 117369.

Checksum the file

As uploading and downloading large files can result in data corruption we recommend (once the file is compressed) you checksum the file and forward the checksum value to us with the file.

If you provide us with the checksum of the file we can immediately determine if the file we are analyzing is the same as the original file on your computer's hard drive.  For more information on generating a checksum for a file see article 27373.


Technical Information

There are three types of 'memory dump' that a computer can produce:

Name Description 
Small memory dump Smallest file size. Limited information included. Errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.
Kernel memory dump This dump file does not include unallocated memory or any memory that is allocated to installed applications. It includes only memory that is allocated to the kernel and hardware abstraction layer. If a problem occurs with an application (and not the operating system itself) this type of dump is not useful.
Complete memory dump A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump records to a dump file of all programs (and applications) running on your computer. This type of memory dump can allow a full analysis of what caused a computer crash.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments