Mem dumps when pagefile is not on system disk

[Guest]

On our Windows XP Embedded environment we write protect the c: drive so that
we can resume from hibernate many times. This is accomplished with the use
of a write filter which buffers all writes to the c: drive. The Windows page
file is set to 384MB which is larger than our write filter cache buffer,
therefore we moved the Windows pagefile to the e: drive.

Windows will not perform a system memory dump unless the page file is on the
system drive (c. The pagefile is not contiguous sectors on the hard drive,
so we can't just not cache the sectors of the pagefile.

How can we get memory system dumps with the pagefile on a drive other than
the system drive?

 

[Slobodan Brcin \(eMVP\)]

Hi Bruce,

1. You can't use pagefile on volume protected by EWF. (We had some discussion about can it be done on protected partition, but
results are unconclusive and certainly not safe to use)
2. You must unmount all filesystems on non-protected volumes before you hibernate.

For above you can easily draw an conclusion that you can't use hibernate/resume many feature with pagefile support enabled :-(

Regards,
Slobodan

 

[Guest]

Hi Slobodan,

Thanks for the information!

Does this mean there is no way to capture a memory dump in this configuration?

Thanks,
Bruce

 

[Slobodan Brcin \(eMVP\)]

Hi Bruce,

Now I do not understand the original question. What memory dump are you talking about?
Hibernation can work without pagefile support.

Regards,
Slobodan

 

[Guest]

Hi Slobodan,

I can understand why there might be some confusion. The memory dump I'm
referring to is the kind you get when the system blue-screens. Apparently
this dump will only happen if the pagefile is on the system drive (C and as
you pointed out, you can not have the pagefile on a write-filter protected
volume. We need to find out how to get the memory dump to be made when the
pagefile is not on the system drive.

Thanks,
Bruce

 

[Slobodan Brcin \(eMVP\)]

Interesting.
I was unaware that there is any connection between mem dump file and pagefile.

Do you have component "Disk Dump Drivers" in your image?

Also how did you configured destination file name for dump file and type of dump? (Can you describe procedure that you have used?)
You should probably put dump file creation on unprotected volume. (Dump driver can write around the EWF but it can't create new file
(file must exist and be allocated for this to work.))

Regards,
Slobodan

 

[Mark K Vallevand]

I don't see a "Disk Dump Drivers" component, or anything named similarly.

I was under the impression that BSOD dumps in XPe worked like XPP. That is,
when there is a BSOD, the dump is written to the page file. The page file
must be big enough to hold the type of dump requested. When the OS reboots,
it sees a dump signature in the page file and copies the contents to your
memory.dmp file.

How do you get a system BSOD-type dump when you have EWF enabled and no page
file? I don't think its possible, but I would love to know otherwise.

--
Regards.
Mark K Vallevand

Interesting.
I was unaware that there is any connection between mem dump file and pagefile.

Do you have component "Disk Dump Drivers" in your image?

Also how did you configured destination file name for dump file and type

of dump? (Can you describe procedure that you have used?)

You should probably put dump file creation on unprotected volume. (Dump

driver can write around the EWF but it can't create new file

(file must exist and be allocated for this to work.))

Regards,
Slobodan

discussion about can it be done on protected partition,

but

hibernate/resume many feature with pagefile support enabled

 

[Slobodan Brcin \(eMVP\)]

Hi Mark,

It is named exactly that way: Visibility 200.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/diskdump.asp
http://msdn.microsoft.com/library/d..._a9688d6d-0340-41a6-a34c-09c299d52e9e.xml.asp

You are referring to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;254649

Unfortunately if you can't bend this behavior so page file is stored on non protected partition and used by dump driver then sorry
:-(
One thing that I can say is DO NOT USE PAGE FILE ON EWF PROTECTED PARTITION, results might be unexpected and your system might crash
just because of this.
http://msdn.microsoft.com/embedded/community/community/tips/xp/renamert/default.aspx

Try crashing system by using:
http://support.microsoft.com/kb/244139

Regards,
Slobodan

 

[Mark K Vallevand]

Oops. I'm using SP2 Preview. My bad. I forgot to change the visibility
level. Its there.

And, I guess that there isn't any way to get a dump without a page file.
:-( Well, its not going to crash anyway, right?

--
Regards.
Mark K Vallevand

Hi Mark,

It is named exactly that way: Visibility 200.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/diskdump.asp
http://msdn.microsoft.com/library/d..._a9688d6d-0340-41a6-a34c-09c299d52e9e.xml.asp

You are referring to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;254649

Unfortunately if you can't bend this behavior so page file is stored on

non protected partition and used by dump driver then sorry

:-(
One thing that I can say is DO NOT USE PAGE FILE ON EWF PROTECTED

PARTITION, results might be unexpected and your system might crash

just because of this.
http://msdn.microsoft.com/embedded/community/community/tips/xp/renamert/default.aspx

Try crashing system by using:
http://support.microsoft.com/kb/244139

Regards,
Slobodan

I don't see a "Disk Dump Drivers" component, or anything named similarly.

I was under the impression that BSOD dumps in XPe worked like XPP. That is,
when there is a BSOD, the dump is written to the page file. The page file
must be big enough to hold the type of dump requested. When the OS reboots,
it sees a dump signature in the page file and copies the contents to your
memory.dmp file.

How do you get a system BSOD-type dump when you have EWF enabled and no page
file? I don't think its possible, but I would love to know otherwise.

--
Regards.
Mark K Vallevand

Interesting.
I was unaware that there is any connection between mem dump file and pagefile.

Do you have component "Disk Dump Drivers" in your image?

Also how did you configured destination file name for dump file and

type
of dump? (Can you describe procedure that you have used?)

You should probably put dump file creation on unprotected volume.

(Dump
driver can write around the EWF but it can't create new file

(file must exist and be allocated for this to work.))

Regards,
Slobodan


Hi Slobodan,

I can understand why there might be some confusion. The memory dump I'm
referring to is the kind you get when the system blue-screens. Apparently
this dump will only happen if the pagefile is on the system drive

(C
and as

you pointed out, you can not have the pagefile on a write-filter protected
volume. We need to find out how to get the memory dump to be made

when
the

pagefile is not on the system drive.

Thanks,
Bruce


:

Hi Bruce,

Now I do not understand the original question. What memory dump

are
you talking about?

Hibernation can work without pagefile support.

Regards,
Slobodan

"BruceKrautbauer" <[email protected]>

wrote in
message

Hi Slobodan,

Thanks for the information!

Does this mean there is no way to capture a memory dump in this configuration?

Thanks,
Bruce

:

Hi Bruce,

1. You can't use pagefile on volume protected by EWF. (We had

some
discussion about can it be done on protected partition,

but
results are unconclusive and certainly not safe to use)
2. You must unmount all filesystems on non-protected volumes before you hibernate.

For above you can easily draw an conclusion that you can't use

hibernate/resume many feature with pagefile support enabled

:-(

Regards,
Slobodan

 

[Slobodan Brcin \(eMVP\)]

Hi Mark,

And, I guess that there isn't any way to get a dump without a page file.

I have no idea. (I'm using either additional computer with windbg next to my device if I hunt for errors). For field devices I set
computer to reboot instead of BSOD or logging data. (I have not seen this happen according to my program logs )

Page file can be moved on non-protected partition.
Dump file folder can be moved to any partition.
Someone will have to test and see if this would work.

:-( Well, its not going to crash anyway, right?

This question is more for some group of mystics then for us to give answer on this :-(

Regards,
Slobodan

--
Regards.
Mark K Vallevand

Hi Mark,

It is named exactly that way: Visibility 200.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpehelp/html/diskdump.asp

http://msdn.microsoft.com/library/d..._a9688d6d-0340-41a6-a34c-09c299d52e9e.xml.asp

You are referring to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;254649

Unfortunately if you can't bend this behavior so page file is stored on

non protected partition and used by dump driver then sorry

:-(
One thing that I can say is DO NOT USE PAGE FILE ON EWF PROTECTED

PARTITION, results might be unexpected and your system might crash

just because of this.
http://msdn.microsoft.com/embedded/community/community/tips/xp/renamert/default.aspx

Try crashing system by using:
http://support.microsoft.com/kb/244139

Regards,
Slobodan