How to trigger a full memory dump based on a user mode process exception

Scenario: You have something kernel related triggering crashes of user mode processes (you think). You are trying to prove it. You're told you need a full memory dump of the system at time of the crash of the user mode process.

How to do it?

Glad you asked! <edit>

(to back this out, delete the task, if something goes wrong and it boots in a crash loop, booting in safe mode should stop it too)

Step .5: Logon with an administrative rights account.  🙂

Step 1: Follow KB969028 so you are configured properly for a full memory dump.

Step 2: Download NotMyFault from here. Unzip to C:\notmyfault. Unblock the exe and sys files (if needed) by right clicking and selecting properties then selecting "Un-block":

Step 3: Run task scheduler and select "Create Basic Task…" in the right Actions pane:

Step 4: Give your basic task a clever name. Mine is 'crashme'. Click next.

Step 5: Answer the radio button question with "When a specific event is logged". See where I'm going with this?

Step 6: Set Log to Application, Source to Application Error and Event ID to 1000, as seen below:

Select Next.

Step 7: Select Next as we want "Start a program" selected and it's the default.

Step 8: Browse to C:\notmyfault\x<your system architecture here>\NotMyFault.exe. Add /crash as your argument and Start in should be "C:\notmyfault\<xwhatever>. As seen below for x64:

Select Next.

Step 9: check the box to open the task properties and click Finish.

Step 10: Check the box "run with highest privileges" and on the Settings tab uncheck "Stop the task if it runs longer than" box and click Ok.

Step 11: Wait for your app to crash. Enjoy.