The term "system memory dump" refers to when a computer creates a file with the system memory contents following a full system crash. System memory dumps are also called physical memory dumps. Programs are often configured to make dump files that store the program state at the time of a crash to help programmers go back and look at what the computer was doing at the time of the crash to prevent it from happening again.
System Memory Dump Uses
A system memory dump takes a snapshot of everything that's currently in the computer's physical memory whenever the system goes down. When you get the computer up and running again, you can either look at the file yourself or send it to someone else to help figure out why Windows crashed. Memory dump files are often used in the debugging process when system crashes are a regular event. Usually, a programmer has to rewrite part of a program to stop the crash from recurring. The debugging process usually involves recreating the crash situation to find the faulty code. Memory dump files make it easy for the programmer to recreate the problematic situation and identify the crash cause. For example, Kaspersky requests complete dump files for crashes related to the Kaspersky Lab program.
System Memory Dump Creation
In Windows, the computer writes a memory dump file whenever the "Blue Screen of Death" strikes. A message reading "dumping physical memory" appears, and the computer will show a progress percentage leading up to the completion of the memory dump file; it will then reboot. System memory dumps don't happen when a single program crashes and Windows keeps running: it only happens when Windows crashes or another program takes Windows down with it.
System Memory Dump Types
Windows supports three types of system memory dumps: small, kernel and complete. According to Microsoft, a small memory dump includes a list of loaded system drivers and process information about the system thread that caused the crash. According to security developing house Sophos, a kernel dump file contains the system kernel information and is not useful for debugging programs other than Windows itself. The system kernel is the part of the Windows code that interfaces with the computer hardware. A complete memory dump contains all of the contents of the system's memory at the time of the crash, and therefore provides the most information.
Configuring Memory Dumps
You may be asked to provide a complete memory dump to help a programmer resolve a recurring program crash. Windows 8 defaults to an automatic memory dump type that lets the computer decide which type to use. You can change the settings by searching for "system," then clicking "Settings | Advanced System Settings | Advanced | Settings." From here, change the "Write debugging information" drop-down menu to the desired memory dump file type and click "OK." The memory dump file created after the next crash can be used in the debugging process.
- Microsoft Technet: Windows 8 and Windows Server 2012: Automatic Memory Dump
- Microsoft Support: Overview of Memory Dump File Options for WIndows 2000, Windows XP, Windows Sever 2003, Windows Vista, Windows Server 2008, Windows 7, and WIndows Server 2008 R2
- Microsoft Technet: Understanding Crash Dump Files
- Microsoft: How to Read the Small Memory Dump File that is Created by Windows if a Crash Occurs
- Sophos: How to Configure a Computer to Capture a Complete Memory Dump
- Kaspersky Lab: How to Get a Complete Memory Dump When System Hangs
- Ryan McVay/Photodisc/Getty Images