A small memory dump file records the smallest set of useful information that may help identify why your computer has stopped unexpectedly. This option requires a paging file of at least 2 megabytes (MB) on the boot volume. On computers that are running Microsoft Windows 2000 or later, Windows create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.
This dump file type includes the following information:
- The Stop message and its parameters and other data
- A list of loaded drivers
- The processor context (PRCB) for the processor that stopped
- The process information and kernel context (EPROCESS) for the process that stopped
- The process information and kernel context (ETHREAD) for the thread that stopped
- The Kernel-mode call stack for the thread that stopped
The small memory dump file can be useful when hard disk space is limited. However, because of the limited information that is included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.
If a second problem occurs and if Windows creates a second small memory dump file, Windows preserves the previous file. Windows gives each file a distinct, date-encoded file name. For example, Mini022900-01.dmp is the first memory dump file that was generated on February 29, 2000. Windows keeps a list of all the small memory dump files in the %SystemRoot%\Minidump folder.
http://support.microsoft.com/kb/315263
To configure startup and recovery options to use the small memory dump file, follow these steps.
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
- Click Start, point to Settings, and then click Control Panel.
- Double-click System.
- Click the Advanced tab, and then click Settings under Startup and Recovery.
- In the Write debugging information list, click Small memory dump (64k).
To download and install the Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a
Install the Symbols for the OS or Use the Microsoft Symbol Server to obtain debug symbol files http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#f
Note http://msdl.microsoft.com/download/symbols is not browsable and is only intended for access by the debugger.
Then start the Windbg (Windows Debugging Tools) and load the symbol file path.
Open the mini-dump and Examine the dump file
- The !analyze -show command displays the Stop error code and its parameters. The Stop error code is also known as the bug check code.
- The !analyze -v command displays verbose output.
- The lm N T command lists the specified loaded modules. The output includes the status and the path of the module.
Here you can see the culprit was a Sound driver trying to write to a readonly section of the RAM
The mini dump analysis follows:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Mini110409-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Nov 4 07:26:14.453 2009 (GMT-6)
System Uptime: 134 days 15:49:08.781
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
...............................................................
..................................................
Use !analyze -v to get detailed debugging information.
BugCheck 100000BE, {aba870d2, 10c14121, a7f777d4, a}
*** WARNING: Unable to verify timestamp for hal.dll
*** WARNING: Unable to verify timestamp for sysaudio.sys
Unable to load image ks.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ks.sys
Unable to load image wdmaud.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wdmaud.sys
Probably caused by : sysaudio.sys ( sysaudio!CFilterInstance::FilterDispatchIoControl+53 )
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arg1: aba870d2, Virtual address for the attempted write.
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 8054b75f to 8054b10f
a7f77888 8054b75f 00000001 8918a310 88bc7cf8 nt!MiReleaseSystemPtes+0x114
a7f778c8 804f4c20 88bc7900 893de3e0 88b86cd8 nt!ExAllocatePoolWithTag+0x3df
a7f77920 804ff853 88b86cd8 a7f7796c a7f77960 nt!CcSetFileSizes+0x1a6
a7f77970 806e6ef2 00000000 00000000 a7f77988 nt!CcPerformReadAhead+0x16d
a7f77988 806e6ae4 badb0d00 00000000 88bc7cf8 hal!HalBuildMdlFromScatterGatherList+0xde
a7f77a18 804f17f6 88b86cd8 8918a310 00000000 hal!HalpAllocateAdapterCallback+0x82
a7f77a4c a8b1efe7 8918a310 89c2ae98 89bd3b70 nt!Magic86400000+0x2ee
a7f77a90 b7deff95 89bd3b70 88b86c98 a7f77adc sysaudio!CFilterInstance::FilterDispatchIoControl+0x53
a7f77aa0 804ef19f 89bd3b70 88b86c98 88b86c98 ks!DispatchDeviceIoControl+0x28
a7f77adc a84b24df 8918a310 00000000 002f0003 nt!MiFlushSectionInternal+0x256
a7f77b30 a84b227e 8918a310 00000002 e3fb3960 wdmaud!GetTopologyProperty+0x84
a7f77b58 a84b231e 8918a310 89c93708 00000009 wdmaud!ControlNodeFromGuid+0x3f
a7f77b7c a84b2417 8918a310 89c93708 00000009 wdmaud!GetControlNodes+0x2a
a7f77bb0 a84b2813 00000000 00000009 00000001 wdmaud!OpenSysAudioPin+0xe5
a7f77bec a84b1a83 00000092 00000009 88e64708 wdmaud!OpenWavePin+0x3e2
a7f77c18 a84b1382 88d55860 88e64708 00000000 wdmaud!Dispatch_OpenPin+0xb7
a7f77c40 804ef19f 00000010 88b10000 806e6410 wdmaud!SoundDispatch+0x430
a7f77c64 805807f7 890c1230 88d55860 89c86e08 nt!MiFlushSectionInternal+0x256
a7f77d00 80579274 0000034c 000002e4 00000000 nt!NtSetInformationThread+0x125
a7f77d34 8054162c 0000034c 000002e4 00000000 nt!SepOpenTokenOfThread+0x87
a7f77d64 7c90e4f4 badb0d00 0012ec78 a91f7d98 nt!RtlIpv4StringToAddressExW+0xad
WARNING: Frame IP not in any known module. Following frames may be wrong.
a7f77d78 00000000 00000000 00000000 00000000 0x7c90e4f4
sysaudio!CFilterInstance::FilterDispatchIoControl+53
SYMBOL_NAME: sysaudio!CFilterInstance::FilterDispatchIoControl+53
DEBUG_FLR_IMAGE_TIMESTAMP: 48025beb
FAILURE_BUCKET_ID: 0xBE_sysaudio!CFilterInstance::FilterDispatchIoControl+53
BUCKET_ID: 0xBE_sysaudio!CFilterInstance::FilterDispatchIoControl+53