Skip to main content

Troubleshooting Windows Server 2012 R2 Crashes. Analysis of Dump Files & Options. Forcing System Server Crash (Physical/Virtual)

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-001aThere are umpteen reasons why your Windows Server 2012 R2 decides to present you with a Blue Screen of Death (BSOD) or the stop screen. As virtual machines become more prominent in enterprise environments, the same problems that plagued physical servers earlier are now increasingly being observed for crashes of virtual machines as well.

Microsoft designs and configures Windows systems to capture information about the state of the operating systems if a total system failure occurs, unlike a failure of an individual application. You can see and analyze the captured information in the dump files, the settings of which you can configure using the System Tool in the Control Panel. By default, BSOD provides minimal information about the possible cause of the system crash and this may suffice in most circumstances to help in identifying the cause of the crash.

However, some crashes may require a deeper level of information than what the stop screen provides – for example, when your server simply hangs and becomes unresponsive. In that case, you may still be able to see the desktop, but moving the mouse or pressing keys on the keyboard produces no response. To resolve the issue, you need a memory dump. This is basically a binary file that contains a portion of the server's memory just before it crashed. Windows Server 2012 R2 provides five options for configuring memory dumps.

SafeGuard your Hyper-V & VMware servers from unrecoverable crashes with a reliable FREE Backup – Altaro’s VM Backup. Download Now!

Different Types Of Memory Dump Files

1. Automatic Memory Dump

Automatic memory dump is the default memory dump that Windows Server 2012 R2 starts off with. This is really not a new memory dump type, but is a Kernel memory dump that allows the SMSS process to reduce the page file to be smaller than the size of existing RAM. Therefore, this System Managed page file now reduces the size of page file on disk.

2. Complete Memory Dump

A complete memory dump is a record of the complete contents of the physical memory or RAM in the computer at the time of crash. Therefore, this needs a page file that is at least as large as the size of the RAM present plus 1MB. The complete memory dump will usually contain data from the processes that were running when the dump was collected. A subsequent crash will overwrite the previous contents of the dump.

3. Kernel Memory Dump

The kernel memory dump records only the read/write pages associated with the kernel-mode in physical memory at the time of crash. The non-paged memory saved in the kernel memory dump contains a list of running processes, state of the current thread and the list of loaded drivers. The amount of kernel-mode memory allocated by Windows and the drivers present on the system define the size of the kernel memory dump.

4. Small Memory Dump

A small memory dump or a MiniDump is a record of the stop code, parameters, list of loaded device drivers, information about the current process and thread, and includes the kernel stack for the thread that caused the crash.

5. No Memory Dump

Sometimes you may not want a memory dump when the server crashes.

Configuring Dump File Settings

Windows Server 2012 R2 allows you to configure an Automatic memory dump. To start the configuration, you have to log in as a local administrator and click on Control Panel in the Start menu:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-001 

Figure 1. Invoking the Windows Server Control Panel


From the Control Panel, click on System and Security icon. Next, click on System:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-002 

Figure 2. System and Security

In the System Properties that opens up, click on the Advanced tab as shown below:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-003 

Figure 3. System Properties – Advanced Tab

 In the Advanced System Properties, look for and click on Settings under Startup and Recovery section:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-004 

Figure 4. Startup and Recover dialog

 

 windows-2012-troubleshooing-server-crashes-memory-dumps-debug-005

Figure 5. The five types of debugging information (memory dumps) available

Here, you have the choice to let your server Automatically restart on System failure. Under Write Debugging information, you can select between one of the five types of memory dumps to be saved in the event of a server crash.
 
You can also define the name of the dump file the server should create and specify its location. The default location is in the System Root and the default name of the file is MEMORY.DMP. If you do not want the previous file to be overwritten by the new dump file, remove the tick mark from Overwrite any existing file (visible in figure 4).

When done, you will need to restart the server for the changes to take place.

Manually Generating A Dump File

Although the server will create the dump files when it crashes, you do not have to wait indefinitely for the crash to occur. As described in Microsoft’s support pages Generating a System Dump via Keyboard and Forcing a System Crash via Keyboard, you can induce the server to crash with a select combination of keys. Of the several methods described by Microsoft, we will discuss the method via USB keyboards.

Forcing a System Crash From the Keyboard

Begin with a command prompt with administrative privileges. For this, begin with the Start menu and click on Command Prompt (Admin):

 windows-2012-troubleshooing-server-crashes-memory-dumps-debug-006

Figure 6. Invoking the Command Prompt with Elevated Privileges

In the command prompt window that opens, type in “regedit” to and hit Enter:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-007 

Figure 7. Opening and Editing the Windows Registry

This opens the Registry Editor screen. Now expand all the way to the following section:

HKEY_LOCAL_MACHINE\SYSTEM\CurrrentControlSet\Control\CrashControl

Right-click on CrashControl and create a new DWORD with the name CrashDumpEnabled which will appear in the right hand pane. Next, modify its value by right-clicking on CrashDumpEnabled in the right hand pane and selecting Modify:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-008

Figure 8. Editing the Registry. Modifying the new registry DWORD CrashDumpEnabled

In the Edit DWORD Value dialog that opens enter Value data as 1 and click on OK:

 windows-2012-troubleshooing-server-crashes-memory-dumps-debug-009

Figure 9. Editing the Value Data of CrashDumpEnabled

Next step is to go to the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrrentControlSet\Services\kbdhid\Parameters

Right-click on Parameters and create a new DWORD with the name CrashOnCtrlScroll, which will appear in the right pane:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-010

Figure 10. Editing the Registry. Creating the new Registry DWORD CrashOnCtrlScroll

Now, modify the CrashOnCtrlScroll value by right-clicking on CrashOnCtrlScroll in the right pane and selecting Modify:

windows-2012-troubleshooing-server-crashes-memory-dumps-debug-011 

Figure 11. Modifying the Registry DWORD entry CrashOnCtrlScroll

 In the Edit DWORD Value dialog that opens, enter Value data as 1 and click on OK:

 windows-2012-troubleshooing-server-crashes-memory-dumps-debug-012

Figure 12. Editing the Value data of CrashOnCtrlScroll

Restart the server for the new values to take effect.

Next, to crash the server, press the combination of keys:

CTRL + SCROLL LOCK + SCROLL LOCK

Note: Press SCROLL LOCK key twice while holding down the CTRL key.

The server will crash and restart and should have created a new dump file.

Note: However, as described in the Microsoft support pages referred above, this method does not always work and for other methods, you can refer to additional Microsoft support pages here.

This article explained why Windows Server dump files are considered important and how we can configure Windows Server 2012 R2 to save crash dump files. We saw the different memory Dumps (Automatic Memory Dump, Complete Memory Dump, Kernel Memory Dump, Small Memory Dump, No Memory Dump) and how to configure the dump’s settings. More articles on Windows Server 2012 can be found in our Windows Server 2012 Section.

Your IP address:

3.15.229.191

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer