A windows process got crashed for some reason. I need to analyse the crash dump.
In Windows 2003 PC health helped us to find the crash dump file.
How to get the crash dump file location in Windows 2008?
This question is related to
windows-server-2008
crash-dumps
The location is in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
Source: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
Maybe useful (Powershell)
http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/
From Windows Vista and Windows Server 2008 onwards Microsoft introduced Windows Error Reporting or WER . This allows the server to be configured to automatically enable the generation and capture of Application Crash dumps. The configuration of this is discussed here . The main problem with the default configuration is the dump files are created and stored in the %APPDATA%\crashdumps folder running the process which can make it awkward to collect dumps as they are spread all over the server. There are additional problems with this as but the main problem I always had with it was that its a simple task that is very repetitive but easy to do incorrectly.
Source code in Powershell (should be useful source code in C# too):
$verifydumpkey = Test-Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\LocalDumps"
if ($verifydumpkey -eq $false )
{
New-Item -Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\" -Name LocalDumps
}
##### adding the values
$dumpkey = "HKLM:\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps"
New-ItemProperty $dumpkey -Name "DumpFolder" -Value $Folder -PropertyType "ExpandString" -Force
New-ItemProperty $dumpkey -Name "DumpCount" -Value 10 -PropertyType "Dword" -Force
New-ItemProperty $dumpkey -Name "DumpType" -Value 2 -PropertyType "Dword" -Force
WER -Windows Error Reporting- Folders:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
%localappdata%\Microsoft\Windows\WER
%LOCALAPPDATA%\CrashDumps
C:\Users[Current User when app> crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive
C:\ProgramData\Microsoft\Windows\WER\ReportArchive
c:\Users\All Users\Microsoft\Windows\WER\ReportQueue\
BSOD Crash
%WINDIR%\Minidump
%WINDIR%\MEMORY.DMP
Sources:
http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
http://support.microsoft.com/kb/931673
https://support2.microsoft.com/kb/931673?wa=wsignin1.0
I have observed on Windows 2008 the Windows Error Reporting crash dumps get staged in the folder:
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue
Which, starting with Windows Vista, is an alias for:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Windows 7, 64 bit, no modifications to the Registry key, the location is:
C:\Users[Current User when app crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive
On Windows 2008 R2, I have seen application crash dumps under either
C:\Users\[Some User]\Microsoft\Windows\WER\ReportArchive
or
C:\ProgramData\Microsoft\Windows\WER\ReportArchive
I don't know how Windows decides which directory to use.
http://support.microsoft.com/kb/931673
There are Registry changes you can make to explicitly select where the crash dump file resides, otherwise %localappdata%\Microsoft\Windows\WER is the default location. I assume that %localappdata% is defined differently for a user or a service running under System. You will need to enable WER I believe.
a core dump is usually only made when the Windows kernel crashes (aka blue screen). A servicecrash will most of the times only leave some logging behind (in the event viewer probably).
If it is the bluescreen crash dump you are looking for, look in C:\Windows\Minidump or C:\windows\MEMORY.DMP
Source: Stackoverflow.com