When a Windows machine stops unexpectedly, a ‘dump file’ of information about the crash is written to %systemroot%\windows .dmp.
This file contains information that will assist you in determining the cause of the stop:-
List of drivers loaded at the time of the crash
Details of the stop message
Details of the process that crashed/stopped
There are several types of dumps that Windows can create, these are
a)A complete memory dump, which basically does exactly what it says on the tin. The entire contents of physical memory at the time of the crash are wrotten to the dump file. This type of dump is the default on Windows Server. Your page file must be of a size at least equal to the amount of physical memory in the machine, plus 100mb for the header. NOTE – this isn’t available on machine with more than 2GB, in which case the default is a kernel memory dump, written to the same location. ADDITIONAL NOTE – creating a complete memory dump on a machine with at or close to 2GB of physical memory can take several minutes.
b)Kernel memory dump – Smaller than a complete memory dump, this contains kernel mode pages in physical memory at the time of the stop. The size of the dump varies as it depends on the amount of memory allocated to kernel mode at the time.
c)Minidump (Small Memory Dump) – a 64k dump file is created which contains details of loaded drivers, stop code and details of the thread that caused the crash.
You can change what type of dumpfile your server creates by right-clicking My Computer, selecting Properties from the context menu to bring up the System Properties dialog and then clicking the Advanced tab.
Windows Recovery Options Dialog
Which type of dump should you use? I tend to stick with the defaults – a full dump on a system with <2GB physical memory, kernel dump on systems with >2GB
Analyzing the dump file
If the file you are analyzing is a MiniDump, you can use dumpchk.exe from the Windows Support Tools. For the other types, I use the Windows Debugging Tools.
Here’s how to set the dubugger up and use it to analyze the dump file.
1. Grab the Windows Debugging Tools from http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx and install them
2. Find the tools on your start menu (under All Programs..Debugging Tools for Windows) and open WinDbg
Windows Debugger Symbol Path Dialog
3. In WinDbg, go to File and choose Symbol File Path. Enter the following in the box:-
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
and click OK to close
Analyzing the dump file
4. In WinDbg, go to File..Open Crash Dump. Locate the MEMORY.DMP file you want to analyze and click Open.
Analyzing the dump file
5. The dump will be loaded and you will see the information recorded at the time of the crash. To run a bugcheck analysis, type !analyze -v.
In this case, iostor.sys is the likely cause
6. Read the analysis, it will often be able to help you pinpoint the cause of the stop – look for the MODULE_NAME or IMAGE_NAME, PROCESS_NAME etc for clues.
This is especially helpful for tracking down problem drivers – if you find a driver is indicated as the cause, make sure you are running the latest version. If you are, it may be worth contacting the vendor and providing your memory dump for analysis.
About markholmes28
Systems administrator at a well known UK University. Skills include VMWare ESX, Active Directory, Windows Server, Linux
Should you ever be unfortunate enough to uncover a bug in Windows 2003 itself — a painful process that begins with mysterious server failures and progresses to long, arduous calls to Microsoft’s technical support staff — you’ll probably have to create a crash dump for their use.
Reading crash dumps is well beyond the ken of ordinary system or network administrators. You just need to recognize the term and know how to create a crash dump for some expert to peruse at his or her leisure.
Therefore, we begin with a definition: A crash dump is a snapshot of everything in memory when a Windows 2003 system configured to capture a crash dump actually crashes. It includes information about the operating system, the hardware, applications, and all types of other information that Windows 2003 usually keeps hidden from view and uses to manage its own operations.
Experts can pick through a crash dump to pinpoint causes of a crash and use their knowledge to start formulating fixes or workarounds. This is one of the things that drives the creation of the patches and fixes that eventually show up in the service packs — in case you were wondering where that stuff comes from.
To enable a crash dump, your computer must first meet the following criteria:
-
Your paging file must reside on the same partition where the Windows 2003 system files reside. This is called boot partition in Windows 2003-speak. The paging file contributes to the bulk of the crash dump and must be accessible after the system quits working — that means it must be on the same drive where the crash dump utility resides.
-
You must have sufficient free space on the boot partition to capture everything in RAM plus everything in the paging file. This means that the free space must equal the sum of those values (RAM and the paging file). To determine the amount of free space you need, open Task Manager, click the Performance tab, and look at the number reported in the Limit box in the Commit Charge pane. (To launch Task Manager, right-click any open area on the taskbar and choose Task Manager.) This represents the number of kilobytes of free space you’ll need (to convert to MB, divide this number by 1024).
After you meet these criteria, you can enable crash dumps in the Startup and Recovery dialog box. To display this dialog box, choose Control Panel System, click the Advanced tab, and click the Settings button under Startup and Recovery. The Write Debugging Information section contains a pull-down list where you can select to write a small dump file, a kernel-only dump file, a complete dump file, or none at all. The default filename ( %systemroot%\MEMORY.DMP ) is defined in the Dump File box. You don’t need to change this default. The Startup and Recovery dialog box is shown in Figure 19-3.
Figure 19-3: Selections to capture a crash dump.
After you select the dump file settings, the next time your system experiences a STOP error (a serious error that can result in data corruption if left unresolved ), it writes the MEMORY.DMP file to your Windows 2003 system directory. By default, the value of the symbol %systemroot% is equal to C:\WINDOWS, assuming that you installed Windows Server 2003 on the C: drive with the default system root directory name .
A crash dump creates two interesting problems. First, because the sum of RAM and the paging file is probably 200MB or more, you must find a way to get a copy to technical support. (You’d better have a fast Internet link.) Second, you must remember to delete that file after you copy it; otherwise , your server is likely to run out of space on the boot partition.
| Tip |
Compressing crash dumps usually reduces them by 70 percent or more, so we recommend that you zip them (using a utility such as WinZip, which can be found at http://www.winzip.com) before you send them. |
Windows Server 2003 Enterprise can recognise greater than 4GB of memory, but the limit for a pagefile which is used to used to dump memory to is 4095MB.
When a server hangs, or becomes unresponsive a STOP error is not generated, and must be triggered manually. This can cause some difficulty on servers that may not have an attached keyboard such as Blades.
1) Limit the memory to less than 4095MB
Update BOOT.INI with the /maxmem switch
[boot loader]
redirect=UseBiosSettings
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="4GB: Windows Server 2003, Enterprise" /maxmem=4044 /noexecute=optout /fastdetect /redirect /pae
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect /redirect /pae2) Set the pagefile to 4095MB
The pagefile on the system driver (C:) needs to be set to 4095 initial and maximum sizes.
— Ensure there is sufficient space on the system drive (C:) for the additional pagefile space
— Right click on My Computer and select Properties from the context menu
— Select the Advanced tab
— Click Settings under Performance
— Select the Advanced tab
— Click Change under Vitual Memory
— Select C:
— Select the Custom size radio button
— Enter 4095 for Initial size (MB)
— Enter 4095 for Maximum size (MB)
— Click Set
— Click Yes to the warning about memory size
— Click OK
— Click OK
— Click OK
3) Enable Crash Dump Registry Entries
Set the following registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
; Enable Complete Memory Dump
"CrashDumpEnabled"=dword:00000001
; Allow Crash Dump via NMI
"NMICrashDump"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
; Allow Crash Dump via PS/2 Keyboard
"CrashOnCtrlScroll"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
; Allow Crash Dump via USB Keyboard
"CrashOnCtrlScroll"=dword:00000001If there is insufficient space on C: the memory dump can be written to another drive
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"DumpFile"=<path to MEMORY.DMP>4) Reboot the server
This will activate all the changes made above.
5) Generate a test crash dump
For a PS/2 or USB keyboard, or from the console of VMware virtual machine:
Press Right CTRL + Scroll Lock + Scroll Lock
For an HP blade from the HP BladeSystem Onboard Administrator:
— Select the server under Device Bays
— Select iLo
— Select Web Administrator
— Select Diagnostics
— Click Generate NMI to System
This should BSOD the server and create a memory dump. If none of the above methods work the crash dump can be generated using the Citrix SystemDump utility
Windows · September 28, 2024
Blue screen errors, commonly referred to as the “Blue Screen of Death” (BSOD), can be a significant issue for file servers running Windows 2003. These errors can lead to system crashes, data loss, and downtime, which can be detrimental for businesses relying on these servers. Understanding the complete process for diagnosing and repairing these issues is crucial for maintaining server integrity and performance.
Understanding the Blue Screen Error
The blue screen error typically indicates a critical system error that the operating system cannot recover from without a restart. The error message displayed on the blue screen often includes a stop code, which can help identify the underlying issue. Common causes of BSOD in Windows 2003 include:
- Hardware failures (e.g., faulty RAM, hard drives)
- Driver conflicts or outdated drivers
- Corrupted system files
- Malware infections
- Overheating components
Initial Steps for Troubleshooting
When faced with a blue screen error, the first step is to gather information about the error. This can be done by:
- Recording the stop code and any associated error messages displayed on the blue screen.
- Checking the Event Viewer for any critical errors that occurred prior to the crash.
- Reviewing recent changes made to the server, such as software installations or hardware upgrades.
Booting into Safe Mode
Booting the server into Safe Mode can help isolate the issue. Safe Mode loads only essential drivers and services, allowing you to troubleshoot without interference from third-party applications. To boot into Safe Mode:
- Restart the server.
- Press
F8repeatedly during the boot process until the Advanced Boot Options menu appears. - Select
Safe Modeand pressEnter.
Once in Safe Mode, you can perform several diagnostic tasks:
- Run a virus scan using an updated antivirus program.
- Uninstall any recently added software or drivers that may be causing conflicts.
- Check for hardware issues by running diagnostic tools provided by the hardware manufacturer.
Analyzing Dump Files
Windows 2003 creates memory dump files when a blue screen error occurs. Analyzing these files can provide insights into the cause of the crash. To analyze dump files:
- Locate the dump files, typically found in the
C:WindowsMinidumpdirectory. - Use a debugging tool such as WinDbg to open the dump file.
- Run the command
!analyze -vto get a detailed analysis of the crash.
This analysis will often point to the specific driver or hardware component that caused the issue, allowing for targeted repairs.
Repairing Corrupted System Files
If corrupted system files are suspected, the System File Checker (SFC) tool can be used to scan and repair these files. To run SFC:
- Open the Command Prompt with administrative privileges.
- Type
sfc /scannowand pressEnter.
This process may take some time, and it will automatically replace any corrupted files with the correct versions from the Windows installation media.
Updating Drivers and Firmware
Outdated or incompatible drivers can lead to blue screen errors. Ensure that all drivers, especially for critical components like graphics cards and network adapters, are up to date. Visit the manufacturer’s website to download the latest drivers. Additionally, check for firmware updates for hardware components, as these can also resolve compatibility issues.
Conclusion
Addressing blue screen issues on a Windows 2003 file server requires a systematic approach to troubleshooting. By gathering information, booting into Safe Mode, analyzing dump files, repairing corrupted system files, and updating drivers, administrators can effectively diagnose and resolve these critical errors. In the next part of this article, we will explore further steps and preventive measures to ensure server stability.
For those looking for reliable solutions for their server needs, consider exploring USA VPS Hosting options that provide robust performance and support.