Skip to content

Latest commit

 

History

History
80 lines (64 loc) · 5.87 KB

README.md

File metadata and controls

80 lines (64 loc) · 5.87 KB

Introduction

Newer Windows versions allow the creation of two specific types of kernel dumps from user mode:

  • Kernel triage dumps: These are taken for a specific process, and contain the kernel portion of the callstack. Available roughly since Windows Vista.
  • Kernel live dumps: These are not limited to a certain process. Available since roughly Windows 8.1.

There are various tools and APIs available, that allow to create these dumps. See below for a list. In the end, they eventually use the undocumented NtSystemDebugControl() API, with the parameters.

  • SysDbgGetTriageDump=29 for kernel triage dumps.
  • SysDbgGetLiveKernelDump=37 for kernel live dumps.

The code in this repository here shows how to call that API directly.

This is a fork and improved version of github.com/lilhoser/livedump.

How to use

You can download the prebuilt binary from the releases page.
To build it yourself: Clone the git repository and open the solution in Visual Studio 2022.

Synopsis:

LiveDump.exe [type] [options] <FileName>
Type:
        triage : create a kernel triage dump (parameter 29)
        kernel : create a kernel live dump (parameter 37)
Options (kernel triage dump only):
        -t : Number of threads to include in the dump. Should be between 1 and 16. Default is 4.
        -p : PID to dump
Options (kernel live dump only):
        -c : compress memory pages in dump
        -d : Use dump stack
        -h : add hypervisor pages
        -u : also dump user space memory (possible starting with Windows 11 22H2)
FileName is the full path to the dump file to create.

Notes:

  • Run from an elevated command prompt.
  • The resulting dump files can be opened in WinDbg (but not in Visual Studio).
  • If a triage dump seems to be incomplete in the sense that the call stack shows only DbgkpLkmdSnapThreadInContext:
    • You can try a smaller thread number (-t).
    • Triage dumps are broken on systems with roughly 20 logical cores or more. See here for more information.
  • For triage dumps, the tool uses the first -t threads that it finds via the WinAPI. The main thread usually happens to come first, but the order is still undefined.
  • For live dumps, the -u option is available only starting with Windows 11 22H2, compare this Microsoft article and this blog post. Earlier versions result in error code 0xc0000354 (STATUS_DEBUGGER_INACTIVE).

Example: Create a triage dump for process with PID 12345, including the first 3 threads:

.\LiveDump triage -p 12345 -t 3 TriageDump.Kernel.dmp

More information

Documented APIs

The WinAPI MiniDumpWriteDump() allows the creation of "kernel mini dumps" (aka kernel triage dumps) via WriteKernelMinidumpCallback. From my research, this is calling NtSystemDebugControl() with parameter SysDbgGetTriageDump=29.

Other tools

Other tools that can capture kernel triage dumps:

Other tools that can capture kernel live dumps:

Resources

Links to interesting resources: