Editing Core dump (section)

=== Windows memory dumps ===
[[Microsoft Windows]] supports two memory dump formats, described below.

==== Kernel-mode dumps ====
{{Main article|Blue Screen of Death}}

There are five types of kernel-mode dumps:<ref>{{cite web|url=https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files|title=Varieties of Kernel-Mode Dump Files|publisher=Microsoft|access-date=22 February 2018|archive-date=22 February 2018|archive-url=https://web.archive.org/web/20180222165040/https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files|url-status=live}}</ref>
* Complete memory dump{{snd}} contains full physical memory for the target system.
* Kernel memory dump{{snd}} contains all the memory in use by the kernel at the time of the crash.
* Small memory dump{{snd}} contains various info such as the stop code, parameters, list of loaded device drivers, etc.
* Automatic Memory Dump (Windows 8 and later){{snd}} same as Kernel memory dump, but if the [[Paging#PAGEFILE-SYS|paging file]] is both System Managed and too small to capture the Kernel memory dump, it will automatically increase the paging file to at least the size of RAM for four weeks, then reduce it to the smaller size.<ref>{{Cite web|url=https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/automatic-memory-dump|title=Automatic Memory Dump|date=28 November 2017|publisher=Microsoft|language=en-us|access-date=16 March 2018|archive-date=17 March 2018|archive-url=https://web.archive.org/web/20180317102216/https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/automatic-memory-dump|url-status=live}}</ref>
* Active memory dump (Windows 10 and later){{snd}} contains most of the memory in use by the kernel and user mode applications.
To analyze the Windows kernel-mode dumps [[WinDbg|Debugging Tools for Windows]] are used, a set that includes tools like WinDbg & DumpChk.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/windows/hardware/dn745912(v=vs.85).aspx|title=Getting Started with WinDbg (Kernel-Mode)|access-date=30 September 2014|archive-date=14 March 2016|archive-url=https://web.archive.org/web/20160314141124/https://msdn.microsoft.com/en-us/library/windows/hardware/dn745912(v=vs.85).aspx|url-status=live}}</ref><ref>{{cite web|url=https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging|title=Get started with Windows debugging|access-date=14 December 2024}}</ref><ref>{{cite web|url=https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/extra-tools|title=Tools included in Debugging Tools for Windows
|access-date=14 December 2024}}</ref>

==== {{Anchor|MINIDUMP}}User-mode memory dumps ====
User-mode memory dump, also known as ''minidump'',<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/windows/desktop/ms680369(v=vs.85).aspx|title=Minidump Files|access-date=30 September 2014|archive-date=27 October 2014|archive-url=https://web.archive.org/web/20141027044054/http://msdn.microsoft.com/en-us/library/windows/desktop/ms680369(v=vs.85).aspx|url-status=live}}</ref> is a memory dump of a single process. It contains selected data records: full or partial (filtered) process memory; list of the [[Thread (computing)|threads]] with their [[call stack]]s and state (such as [[Processor register|registers]] or [[Win32 Thread Information Block|TEB]]); information about [[Handle (computing)|handles]] to the kernel objects; list of loaded and unloaded [[Dynamic-link library|libraries]]. Full list of options available in <code>MINIDUMP_TYPE</code> enum.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/windows/desktop/ms680519(v=vs.85).aspx|title=MINIDUMP_TYPE enumeration|access-date=30 September 2014|archive-date=11 January 2015|archive-url=https://web.archive.org/web/20150111022428/http://msdn.microsoft.com/en-us/library/windows/desktop/ms680519(v=vs.85).aspx|url-status=live}}</ref>