I have a tool that converts xen dump-core memory dumps obtained from Dom0 to WinDBG debuggable dumps. It works by skipping the ‘elf’ header, then dropping a range of pages, and finally pre-pending a crash dump header that is obtained at boot time by a call to KeInitializeCrashDumpHeader. This results in a .dmp file that is nearly identical to one that is obtained when the system dumps properly. In the past, I’ve used this to debug VMs that crash and don’t yield a dump (often due to a fault in the storage stack).
I received a report that the tool wasn’t working with a Win2k3 x64 VM, so I commandeered the machine and used ctrl-scroll-scroll to force a crash that would produce a dump. I then produced a xen dump-core dump and ran it through my tool. Sure enough, WinDBG refused to open the file (The file is corrupt or invalid). In the end, if I took the first two pages from the REAL .dmp file and replaced that of the manufactured one, it would work.
An older version of my driver would refresh the dump header at crash time with a bugcheck callback, but I found that at some point I had introduced a bug in my code such that the header is not refreshed at bugcheck time. Is this fatal? Does the contents of the (would be) dump header change while the OS runs?