Any Possiblities to get crash dump file during OS Installation?

Hi all,

While installing WIN 2008 R2 OS in the LUN, we are getting crash. With windbg we are able to see Bugcheck 7E.

.dump /m C:\filename.dmp command puts the .dmp file in the debuggee machine. In my case I am getting crash during OS Installation.

Is any possibility to redirect .dmp file to the debugger(windbg) machine. Please someone suggest is this really possible to redirect crash dump during OS Installation case .

Appreciate any inputs. Thanks in Advance.

Regards,
Ananth

.dump should create the dump on the debugger machine (not the debuggee). I was able to create a mini-dump on my debugger using the exact command you shared.

Girish, Thanks for your valuable inputs.

.dump /m creates minidump. Any options related to .dump deals only with minidump.
The .dump command cannot produce a kernel memory dump.
In my case, while OS installation when winload starts the boot-critical drivers to load, crash is seen.
In memory at now, only windows startup components and boot-critical drivers will be present.

How can I redirect that kernel memory dump to my debugger machine. The thing I am trying is it really possible with windbg commands, or any other way it will be much helpful.

Thanks in advance,
Ananth

Docs (https://msdn.microsoft.com/en-us/library/windows/hardware/ff562428(v=vs.85).aspx) say that /f creates a full memory dump. There is a limit to how much system memory is supported, if you have more than that, the full memory dump is disabled. So you might be able to use the /maxmem boot option to limit main memory in order to get a full dump, which will include the kernel space.

Phil
Not speaking for LogRhythm
Phil Barila | Senior Software Engineer
720.881.5364 (w)
LogRhythm, Inc.
The Security Intelligence Company
A LEADER in Gartner’s SIEM Magic Quadrant four consecutive years (2012-2015)
A CHAMPION in Info-Tech Research Group’s 2015 SIEM Vendor Landscape Report
SANS “Best of the Year” in SIEM, 2014
Perfect 5-Star Rating in SC Magazine (2009-2014)

-----Original Message-----
Sent: Thursday, October 01, 2015 9:42 PM
Subject: RE:[ntdev] Any Possiblities to get crash dump file during OS
Installation?

.dump /m creates minidump. Any options related to .dump deals only with
minidump.
The .dump command cannot produce a kernel memory dump.

thanks Phil, it worked. I am able to get complete memory dump with /f options in the debugger machine. Windbg says, need 116 hour to write the dump. This is because crash came during OS installation in the LUN, to my knowledge I know only to connect debugger via COM port in OS installation case.
Is it anyway possible to do network debugging during OS installation. Please someone guide me regarding this.

Thanks in advance.

Regards,
Ananth

Glad to help you make some progress.

Is 1394 (Firewire) debugging an option with your hardware? If so, that will be much faster to generate the dump. It’s still not going to be “fast”, but it should be tolerable.

Phil

Not speaking for LogRhythm
Phil Barila | Senior Software Engineer
720.881.5364 (w)
LogRhythm, Inc.
The Security Intelligence Company
A LEADER in Gartner’s SIEM Magic Quadrant four consecutive years (2012-2015)
A CHAMPION in Info-Tech Research Group’s 2015 SIEM Vendor Landscape Report
SANS “Best of the Year” in SIEM, 2014
Perfect 5-Star Rating in SC Magazine (2009-2014)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-592786-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, October 07, 2015 8:16 AM
To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Any Possiblities to get crash dump file during OS
> Installation?
>
> thanks Phil, it worked. I am able to get complete memory dump with /f
> options in the debugger machine. Windbg says, need 116 hour to write the
> dump. This is because crash came during OS installation in the LUN, to my
> knowledge I know only to connect debugger via COM port in OS installation
> case.
> Is it anyway possible to do network debugging during OS installation.
> Please someone guide me regarding this.
>
> Thanks in advance.
>
> Regards,
> Ananth
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

I haven’t done so in a while, but you can manually adjust the bcd file to have debugging options at different phases of OS setup. If you use two machines with PCIe 1394 cards with the LSI chipset and a 1394b cable, you can write crashdumps at about 40 MBytes/sec, which is a couple minutes for 4 GBytes of ram.

On Wed, Oct 7, 2015 at 7:16 AM -0700, “xxxxx@gmail.com” > wrote:

thanks Phil, it worked. I am able to get complete memory dump with /f options in the debugger machine. Windbg says, need 116 hour to write the dump. This is because crash came during OS installation in the LUN, to my knowledge I know only to connect debugger via COM port in OS installation case.
Is it anyway possible to do network debugging during OS installation. Please someone guide me regarding this.

Thanks in advance.

Regards,
Ananth


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

This. 100% true.

You want a card with the LSI FW643-e chipset on it.

Peter
OSR
@OSRDrivers

thanks all, for your valuable inputs.
Unfortunately in our dmz lab we doesn’t have an option for 1394 (firewire).
Got the dump via serial port itself.

Thanks,
Ananth