{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-setting-fulldump-en","result":{"data":{"markdownRemark":{"id":"a5db78c0-5e72-5187-95cf-a71e3a19c677","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/windows-setting-fulldump\">original page</a>.</p>\n</blockquote>\n<p>I got tired of manually configuring full memory dump collection every time, so I wrote a PowerShell script to automate the settings.</p>\n<p>The basic settings are based on the following official blog post.</p>\n<p>Reference: <a href=\"https://jpwinsup.github.io/blog/2021/02/15/Performance/Hang_BSOD/MemoryDump/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Configuring Complete Memory Dump Output | Microsoft Japan Windows Technology Support Blog</a></p>\n<p>In addition to configuring full memory dump collection, I also changed the user-mode process dump settings so that full dumps can be collected, based on the following public documentation.</p>\n<p>Reference: <a href=\"https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Collecting User-Mode Dumps - Win32 apps | Microsoft Learn</a></p>\n<p>The script is below.</p>\n<p>You can also download it from <a href=\"/file/EnableFulldump.ps1\">EnableFulldump.ps1</a>.</p>\n<p><em>Administrator privileges are required to run it.</em></p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\"><span class=\"token comment\"># Settings of Full memory dump</span>\n<span class=\"token variable\">$crashControlRegPath</span> = <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Control\\CrashControl\"</span>\n<span class=\"token variable\">$isExistKey</span> = <span class=\"token function\">Test-Path</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$crashControlRegPath</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$isExistKey</span> <span class=\"token operator\">-eq</span> <span class=\"token boolean\">$False</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">New-Item</span> <span class=\"token operator\">-</span>Path <span class=\"token variable\">$crashControlRegPath</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$CrashControlRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"CrashDumpEnabled\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"1\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$CrashControlRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"AutoReboot\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"1\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$CrashControlRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"DumpFile\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"ExpandString\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"%SystemRoot%\\FULL_MEMORY.DMP\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$CrashControlRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"LogEvent\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"1\"</span> <span class=\"token operator\">-</span>Force\n\n<span class=\"token comment\"># Settings of Full application dump</span>\n<span class=\"token variable\">$localDumpsRegPath</span> = <span class=\"token string\">\"HKLM:SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\"</span>\n<span class=\"token variable\">$isExistKey</span> = <span class=\"token function\">Test-Path</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$localDumpsRegPath</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$isExistKey</span> <span class=\"token operator\">-eq</span> <span class=\"token boolean\">$False</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">New-Item</span> <span class=\"token operator\">-</span>Path <span class=\"token variable\">$localDumpsRegPath</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$localDumpsRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"DumpFolder\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"ExpandString\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"%LOCALAPPDATA%\\CrashDumps\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$localDumpsRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"DumpCount\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"2\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$localDumpsRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"DumpType\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"2\"</span> <span class=\"token operator\">-</span>Force\n\n<span class=\"token comment\"># Disable CrashOnCtrlScroll</span>\n<span class=\"token variable\">$parameterRegPaths</span> = @<span class=\"token punctuation\">(</span><span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\i8042prt\\Parameters\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\kbdhid\\Parameters\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\hyperkbd\\Parameters\"</span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">foreach</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$parameterRegPath</span> in <span class=\"token variable\">$parameterRegPaths</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token variable\">$isExistKey</span> = <span class=\"token function\">Test-Path</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$parameterRegPath</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$isExistKey</span> <span class=\"token operator\">-eq</span> <span class=\"token boolean\">$False</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">New-Item</span> <span class=\"token operator\">-</span>Path <span class=\"token variable\">$parameterRegPath</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$parameterRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"CrashOnCtrlScroll\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"0\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\"># Setting alt dump key</span>\n<span class=\"token variable\">$parameterRegPaths</span> = @<span class=\"token punctuation\">(</span><span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\i8042prt\\crashdump\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\kbdhid\\crashdump\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Services\\hyperkbd\\crashdump\"</span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">foreach</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$parameterRegPath</span> in <span class=\"token variable\">$parameterRegPaths</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token variable\">$isExistKey</span> = <span class=\"token function\">Test-Path</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$parameterRegPath</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$isExistKey</span> <span class=\"token operator\">-eq</span> <span class=\"token boolean\">$False</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">New-Item</span> <span class=\"token operator\">-</span>Path <span class=\"token variable\">$parameterRegPath</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$parameterRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"Dump1Keys\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"0x2\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$parameterRegPath</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"Dump2Key\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"DWord\"</span> <span class=\"token operator\">-</span>Value <span class=\"token string\">\"0x3d\"</span> <span class=\"token operator\">-</span>Force\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token comment\"># Change PageFileSize</span>\n<span class=\"token variable\">$totalPhysicalMemSize</span> = $<span class=\"token punctuation\">(</span><span class=\"token namespace\">[Math]</span>::Round<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token function\">Get-WmiObject</span> Win32_OperatingSystem<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>TotalVisibleMemorySize <span class=\"token operator\">/</span> 1024<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$freeStorageSizeofC</span> = $<span class=\"token punctuation\">(</span><span class=\"token namespace\">[Math]</span>::Round<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token function\">Get-PSDrive</span> C<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Free <span class=\"token operator\">/</span> 1024 <span class=\"token operator\">/</span> 1024<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$pageFileSize</span> = <span class=\"token variable\">$totalPhysicalMemSize</span> <span class=\"token operator\">+</span> 400\n<span class=\"token variable\">$pageFileSetting</span> = <span class=\"token string\">\"c:\\pagefile.sys <span class=\"token variable\">$pageFileSize</span> <span class=\"token variable\">$pageFileSize</span>\"</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$freeStorageSizeofC</span> <span class=\"token operator\">-gt</span> <span class=\"token variable\">$pageFileSize</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-eq</span> <span class=\"token boolean\">$True</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">New-ItemProperty</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token string\">\"HKLM:System\\CurrentControlSet\\Control\\Session Manager\\Memory Management\"</span> <span class=\"token operator\">-</span>Name <span class=\"token string\">\"PagingFiles\"</span> <span class=\"token operator\">-</span>PropertyType <span class=\"token string\">\"MultiString\"</span> <span class=\"token operator\">-</span>Value <span class=\"token variable\">$pageFileSetting</span> <span class=\"token operator\">-</span>Force\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">Write-Warning</span> <span class=\"token string\">\"C drive space is too small.\"</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Note that the script above configures keyboard crashes in addition to full dump collection.</p>\n<p>The keyboard on the ThinkPad that I mainly use does not have a CtrlScroll key, so I configured an alternative key instead of CrashOnCtrlScroll.</p>\n<p>After applying the settings in the script above, reboot the OS and press [right CTRL + Space twice] to trigger a keyboard crash. After the system restarts, you can obtain the full dump from <code class=\"language-text\">C:\\Windows\\FULL_MEMORY.DMP</code>.</p>\n<p><em>Keyboard dump triggering does not work over an RDP connection or through a Hyper-V enhanced session, so you need to use the console or a tool such as NotMyFault.</em></p>","fields":{"slug":"/windows-setting-fulldump-en","tagSlugs":["/tag/win-dbg/","/tag/reversing/","/tag/english/"]},"frontmatter":{"date":"2023-07-25","description":"I created a PowerShell script to automate the configuration for collecting full dumps on Windows and for configuring keyboard crashes.","tags":["WinDbg","Reversing","English"],"title":"Use a PowerShell Script to Configure Windows Full Memory Dumps and Keyboard Crashes","socialImage":{"publicURL":"/static/43e9771c642ee0a3c999884b3f417f55/windows-setting-fulldump.png"}}}},"pageContext":{"slug":"/windows-setting-fulldump-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}