How to locally obtain full memory dump on Windows host
Original Publishing Date:
2022-04-13
Summary
In some cases, a full memory dump is required to determine the root cause of
server slowdowns and performance problems.
This article describes how to obtain a full memory dump on a running server.
For the servers with a lot of memory installed, collecting a full dump is a time-consuming process, so limiting the amount of RAM on the host may be considered, although a server restart is required in this case.
Resolution path depends on possibility to access http://msdl.microsoft.com from the affected server.
The node has access to the Internet
Download and install the latest dbg32.zip or dbg64.zip Windows Debugging toolkit, depending on your server architecture.
Download LiveKD tool from Sysinternals.com.
Open the command prompt as Administrator and change the directory to the folder to which you downloaded LiveKD.exe.
-
Launch LiveKD and press 'y' to download the symbols (access to http://msdl.microsoft.com is required):
C:\>livekd.exe
LiveKd v5.31 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y
Enter the folder to which symbols download (default is c:\symbols):
Launching C:\program files\Debugging Tools for Windows (x64)\kd.exe:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
Symbol search path is: srv*C:\symbols
*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 7601.19018.amd64fre.win7sp1_gdr.150928-1507
Machine Name:
Kernel base = 0xfffff800`01615000 PsLoadedModuleList = 0xfffff800`0185c730
Debug session time: Wed Feb 3 04:04:30.297 2016 (UTC + 3:00)
System Uptime: 0 days 0:06:59.608
Loading Kernel Symbols
...............................................................
..........
Loading User Symbols
............
Loading unloaded module list
......
0: kd>
-
Trigger the dump generation when it is needed:
0: kd> .dump /f C:\memory.dmp
Please consider including the "/b" option to compress the dump file in a CAB.
Disk space required could be cut by around 75%.
Creating C:\memory.dmp - Full kernel dump
Percent written 0
Percent written 1
.................
Percent written 99
Dump successfully written
0: kd>
- Before uploading the dump to the file exchange share, compress it using
any archiving software.
The node does not have access to the Internet
Download and install the latest dbg32.zip or dbg64.zip Windows Debugging toolkit, depending on your server architecture, on two machines — the one where a memory dump is to be collected (server without Internet access), and a PC with the access to http://msdl.microsoft.com (client with the Internet access).
Copy ntoskrnl.exe, kernel32.dll and ntdll.dll from C:\Windows\system32 on the server to the client, for example, to C:\debug.
-
Go to the client and download the symbols manually:
C:\Program Files\Debugging Tools for Windows (x64)>symchk.exe /if C:\debug\* /s srv*C:\debug*http://msdl.microsoft.com/download/symbols
SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 3
Copy downloaded .pdb files from C:\debug to the server without Internet access, for example, to C:\symbols.
Download LiveKD tool from Sysinternals.com on the server.
Open the command prompt as Administrator and change the directory to the folder to which you downloaded LiveKD.exe.
-
Launch LiveKD, press 'y', and type the path to manually downloaded symbols (C:\symbols):
C:\>livekd.exe
LiveKd v5.31 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
Symbols are not configured. Would you like LiveKd to set the _NT_SYMBOL_PATH
directory to reference the Microsoft symbol server so that symbols can be
obtained automatically? (y/n) y
Enter the folder to which symbols download (default is c:\symbols): C:\symbols
Launching C:\program files\Debugging Tools for Windows (x64)\kd.exe:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
Symbol search path is: srv*C:\symbols
*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 7601.19018.amd64fre.win7sp1_gdr.150928-1507
Machine Name:
Kernel base = 0xfffff800`01615000 PsLoadedModuleList = 0xfffff800`0185c730
Debug session time: Wed Feb 3 04:04:30.297 2016 (UTC + 3:00)
System Uptime: 0 days 0:06:59.608
Loading Kernel Symbols
...............................................................
Loading User Symbols
............
Loading unloaded module list
......
0: kd>
-
Trigger the dump generation when it is needed:
0: kd> .dump /f C:\memory.dmp
Please consider including the "/b" option to compress the dump file in a CAB.
Disk space required could be cut by around 75%.
Creating C:\memory.dmp - Full kernel dump
Percent written 0
Percent written 1
.................
Percent written 99
Dump successfully written
0: kd>
- Before uploading the dump to the file exchange share, compress it using
any archiving software.
Internal content