The Windows Memory Dump Explained

By Pete F Morgan

If you're a frequent user of disk maintenance tools, you might have encountered this file before. Most disk cleaners include this in the list of data that can be safely removed, such as the temporary internet files and recycle bin contents. If you're not familiar with what a Windows memory dump file is, read on.

How is it created?

It would be better to start off on how this file is formed in your computer so that you can understand its function. So to continue, how is it made?

When you computer encounters a fatal system crash, it activates the Windows Blue Screen of Death ("BSOD"). In a BSOD, your explorer will stop working and a blue screen will emerge, hence the name Blue Screen of Death.

The BSOD will indicate the specific application that brought about the system crash. Afterwards, it will trigger an overall system scan to collect all the information related to the said error. It will also duplicate your computer's memory at the event of a crash. The result of this process is called a crash dump file, or most commonly known as memory dump.

What are its types?

Depending on your system settings, your computer will produce any of the following types of crash dump file:

Small memory dump (SMB)

With an average file size of 256 kilobytes, this is the smallest type of crash dump file. Because of its size, it can only store very little information about the error. Some examples of the data included in it are the blue screen information, a part of kernel data, loaded drivers, and process information. The SMB is used to identify the specific error has caused the crash. Since it only contains an insignificant part of the kernel data, you cannot use it to resolve the system error.

Kernel memory dump (KMB)

This file contains useful system data such as the hardware abstraction level (HAL), memory allocation of Windows kernel, kernel-made drivers and kernel-related programs. Because of its conciseness, the KMB is what most developers use for debugging purposes. However, this file excludes the unallocated memory, or the memory dedicated for user-made applications.

Automatic memory dump (AMB)

All Windows computers are set to produce AMB by default, and that its size is determined by the system. Windows ensures that there is enough space to capture at least a KMB. Thus, an AMB contains almost the same information as the kernel dump file.

Complete memory dump (CMB)

This type creates an exact copy of your physical memory at the moment of the system crash. It covers all information contained in every type of crash dump files and adds more to it, that's why it's called "complete". However, most system crashes are attributed to codes in kernel-mode. This means that the information in a KMB is already adequate. Thus, it only follows that all the other data contained in a CMB apart from the kernel data is deemed useless.

How can you access it?

To do this, go to the Control Panel and look for the System menu. Under the Advanced system settings, there is the "Startup and Recovery" section. This contains the settings for your crash dump file.

You will see that the "Write debugging information" is default to be an AMB. If you wish to change this setting, you should use an Administrator account as this is a system setting.

RSS Feed

 Follow @Stephen Bucaro

 Windows Troubleshooting
 Basic PC Anatomy
 Computer Architecture
 Internet Security
 A+ Practice Exams
 Maintain, Upgrade PC
 Windows Tips
 Windows Administration
 Linux

 Free PC Technical Support