How to trigger a full memory dump based on a user mode process exception

Scenario: You have something kernel related triggering crashes of user mode processes (you think). You are trying to prove it. You're told you need a full memory dump of the system at time of the crash of the user mode process.

How to do it?

Glad you asked! <edit>

(to back this out, delete the task, if something goes wrong and it boots in a crash loop, booting in safe mode should stop it too)

Step .5: Logon with an administrative rights account.  🙂

Step 1: Follow KB969028 so you are configured properly for a full memory dump.

Step 2: Download NotMyFault from here. Unzip to C:\notmyfault. Unblock the exe and sys files (if needed) by right clicking and selecting properties then selecting "Un-block":

Step 3: Run task scheduler and select "Create Basic Task…" in the right Actions pane:

Step 4: Give your basic task a clever name. Mine is 'crashme'. Click next.

Step 5: Answer the radio button question with "When a specific event is logged". See where I'm going with this?

Step 6: Set Log to Application, Source to Application Error and Event ID to 1000, as seen below:

Select Next.

Step 7: Select Next as we want "Start a program" selected and it's the default.

Step 8: Browse to C:\notmyfault\x<your system architecture here>\NotMyFault.exe. Add /crash as your argument and Start in should be "C:\notmyfault\<xwhatever>. As seen below for x64:

Select Next.

Step 9: check the box to open the task properties and click Finish.

Step 10: Check the box "run with highest privileges" and on the Settings tab uncheck "Stop the task if it runs longer than" box and click Ok.

Step 11: Wait for your app to crash. Enjoy.

7 Comments

  1. Will try out shortly and see if I force crash an app, maybe outlook and see the results then use it in the office on one desktop

  2. Ran x64 notmyfault and selected crash tab selected High IRQL fault (Kernel-mode). Which basically simulated a crash and created a memory dump.

Leave a Reply