Microsoft KB Archive/235496

= How to Enable a Memory.dmp File Capture Using the Graphical User Interface or the Registry =

Article ID: 235496

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



This article was previously published under Q235496



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes how to enable a Memory.dmp file capture using the graphical user interface (GUI) of Windows NT or by making changes to the registry.



MORE INFORMATION
To enable Windows NT to capture a Memory.dmp file, you must be able to gain access to the GUI or the registry file. Use the appropriate method to enable Windows NT to capture a Memory.dmp file.

Method 1: Enabling a Memory.dmp File Capture Using the GUI
 Click Start, point to Settings, click Control Panel, and then double-click System. On the Startup/Shutdown tab in the Recovery section, you can choose from the following options:  Write an event to the system log

This option is enabled by default in Windows NT Server 4.0 Service Pack 4 or later. If the computer stops responding, an event is written to the system log, which you can view using Event Viewer. For example:

Event ID: 1001

Source: Save Dump

Description: The computer has rebooted from a bugcheck. The bugcheck was: 0xc000021a (0xe1270188, 0x00000001, 0x00000000, 0x00000000). Microsoft Windows NT (v15.1381). A dump was saved in: C:\Winnt\Memory.dmp.

 Send an administrative alert

This option performs a net send command and sends an alert over the network to the administrator. Write debugging information to

This option enables the capture of a dump file. It also specifies the location to store the dump file (the default location is the %SystemRoot%\Memory.dmp folder).

Note: Although you can redirect the Memory.dmp file to another drive or partition, you must have enough space on the selected partition. When a save dump operation is performed, the contents of kernel mode address space are temporarily stored in the page file on the system partition and are then moved to the alternate location when the computer is restarted. For Windows NT to write a memory dump, the paging file on the system drive must be large enough to hold all of physical RAM plus 1 megabyte (MB). Overwrite an existing file

If you choose this option, a new Memory.dmp file overwrites a previous Memory.dmp file (which conserves disk space).</li> Automatically reboot

If you choose this option, the computer is restarted after a bugcheck occurs.</li></ul> </li></ol>

Method 2: Enabling a Memory.dmp File Capture Using the Registry
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You may encounter situations when you cannot gain access to the GUI of Windows NT. Use the appropriate method to capture a Memory.dmp file using the registry.

For Computers Using the FAT File System
<ol> Boot from an MS-DOS disk.</li> Locate the %SystemRoot%\System32\Config folder (%SystemRoot% is the name of the folder in which you installed Windows NT).</li> Locate the System file (without any extension) and copy it to a disk.</li> Insert the disk into the drive of another Windows NT-based computer, and then start Registry Editor.</li> Ensure the HKEY_LOCAL_MACHINE hive is selected.</li> On the Registry menu, click Load Hive.</li> Locate the System file, and then click Open.</li> The Load Hive dialog box appears. In the Key Name box, type a temporary name (for example, test ), and then click OK.</li> A key named Test appears. This is a copy of your System hive from the other Windows NT-based computer.</li> Locate the following registry key:

</li> On the right-hand side of the screen, the following values that correspond to the GUI interface are displayed:

Value Name: AutoReboot

Data Type: REG_DWORD

Data: 0|1 (Disabled|Enabled)

Value Name: CrashDumpEnabled

Data Type: REG_DWORD

Data: 0|1 (Disabled|Enabled)

Value Name: DumpFile

Data Type: REG_EXPAND_SZ

Data: %SystemRoot%\Memory.dmp (location to save the dump file)

Value Name: LogEvent

Data Type: REG_DWORD

Data: 0|1 (Disabled|Enabled) Logs an event to the System log when a crash occurs

Value Name: Overwrite

Data Type: REG_DWORD

Data: 0|1 (Disabled|Enabled) Overwrites an existing dump file

Value Name: SendAlert

Data Type: REG_DWORD

Data: (Disabled|Enabled) Sends an administrative alert

</li> After you make the appropriate changes, copy the updated System file back to the %SystemRoot%\System32\Config folder on the original computer.</li></ol>

For Computers Using the NTFS File System
Because of the security features in the file system, you cannot simply copy the file, make changes, and then copy the file back to the computer. To gain access to the file system, you must perform a parallel installation of Windows NT. A parallel installation puts another copy of the operating system in another folder, which allows you to gain access to the file system. After the parallel installation is finished, use the following steps: <ol> Start Registry Editor.</li> Ensure the HKEY_LOCAL_MACHINE hive is selected.</li> On the Registry menu, click Load Hive.</li> <li>Locate the %SystemRoot%\System32\Config folder on the original installation of Windows NT, click the System file, and then click Open.</li> <li>The Load Hive dialog box appears. In the Key Name box, type an appropriate temporary name (for example, test ). A key named Test appears. This is the System hive from the other installation of Windows NT.</li> <li>Locate the following registry key:

</li> <li>On the right-hand side of the page, the values that correspond to the GUI interface are displayed. Make and save the appropriate changes.</li> <li>Restart your original installation of Windows NT.</li></ol>

For Remote Computers
<ol> <li>Start Registry Editor.</li> <li>On the Registry menu, click Select Computer, and then type the name of the remote computer.</li> <li>Locate the following registry key:

</li> <li>On the right-hand side of the page, the values that correspond to the GUI interface are displayed. Make and save the appropriate changes.</li> <li>Quit Registry Editor, and then restart the computer.</li></ol>

<div class="references_section">