A module for configuring Windows Crash Dumps.
This module was inspired and informed by Bruce Mackenzie-Low's talk on 'Windows Debugging' at 'Techmentor 2014'.
- When a system is in a partially functional or hung state, a good way to get a
.dmpfile to analyze is to force a crash dump using keystroke or NMI - Some BIOS have an
Automatic Server RecoveryorWatchdogsetting which tries to detect if OS is live and resets. This will often interrupt the memory dump generation. If you encounter this, then disabling this setting can allow you to get a full dump. - A truncated dump file may still have usefull information.
Windows can issue a 0xE2 (MANUALLY_INITIATED_CRASH) signal when a specific keystroke is pressed. This is disabled by default, and must be enabled in the driver for each keyboard type.
Supported Keyboard Types:
| Type | OS Supported | Driver Service | Module Support |
|---|---|---|---|
| PS/2 | Windows 2000 and later | i8042prt | Yes |
| USB | Windows Vista and Later | kbdhid | Yes |
| Hyper-V | Windows 10 version 1903 and later | hyperkbd | No |
- The
CrashOnCtrlScrollwill enable theRight‐Ctrl + Scroll Lock + Scroll Lockkeystroke. - The
Dump1Keyssetting can be used to enable alternate shortcuts. However this is not currently supported by this module. - You must restart the system for these settings to take effect.
Examples
# Get Current Settings
Get-CrashOnCtrlScroll
# Enable on USB keyboard
Set-CrashOnCtrlScroll -Enabled -DeviceType 'USB'; Restart-Computer
# Enable on USB and PS2 keyboards
Set-CrashOnCtrlScroll -Enabled; Restart-Computer
# Disable on USB and PS2 keyboards (Restore default)
Set-CrashOnCtrlScroll; Restart-ComputerTODO:
- Add prompt for restart, and a warning that restart is required.
- Support alternate shortcuts
Windows can issue a 0x80 bugcheck (NMI_HARDWARE_FAILURE) in response to a Non-Maskable Interrupt (NMI) signal from the system hardware. This signal is used in cases where a keyboard may not be available. This is most commmonly used when remotely managing a system remotely from via the BMC or Hypervisor.
Triggering an NMI signal
| Type | Method |
|---|---|
| HP iLO | Use the button on the system's iLO diagnostics page. |
| Hyper-V VM | Powershell command: Debug‐Vm “VM 1" ‐InjectNonMaskableInterrupt –Force |
| VMware VM | See KB2005715 and follow the instructions for your version |
In Windows version prior to Windows Server 2012 or Windows 8, this must be enabled with the CrashNmiDump settings. In later versions, this is not required and the setting has no effect
Examples
# Get Current Settings
Get-CrashNmiDump
# Enable
Set-CrashNmiDump -Enabled
# Disable (default)
Set-CrashNmiDumpFrom Windows 7 onwards, if the machine is joined to a domain and the free space is below 25GB, then the MEMORY.dmp crash dump file will not be kept. This behavior is overridden when CrashAlwaysKeep is enabled.
Examples
# Get Current Settings
Get-CrashAlwaysKeep
# Enable
Set-CrashAlwaysKeep -Enabled
# Disable (default)
Set-CrashAlwaysKeepThe method of crash dump generation can be configured for None, Complete, Kernel, Small, or Automatic. The default mode is Kernel
Examples
# Get current settings
Get-CrashDumpMode
# Set the mode to Small
Set-CrashDumpMode -State 'Small'
# Set the mode to Kernel (default)
Set-CrashDumpModeKernel Dump Storage and Clean-up Behavior in Windows 7
Forcing a System Crash from the Keyboard
Generate Kernel or Complete Crash Dump: Use NMI
Bruce Mackenzie-Low's talk on 'Windows Debugging' at 'Techmentor 2014'