Windows Memory Dumps: What Exactly Are They For?

bsod-creating-memory-dump-on-windows-8

When Windows blue-screens, it creates memory dump files — also known as crash dumps. This is what Windows 8’s BSOD is talking about when it says its “just collecting some error info.”

These files contain a copy of the computer’s memory at the time of the crash. They can be used to help diagnose and identify the problem that led to the crash in the first place.

Types of Memory Dumps

Windows can create several different types of memory dumps. You can access this setting by opening the Control Panel, clicking System and Security, and clicking System. Click Advanced system settings in the sidebar, click the Advanced tab, and click Settings under Startup and recovery.

By default, the setting under Write debugging information is set to “Automatic memory dump.” Here’s what each type of memory dump actually is:

Complete memory dump: A complete memory dump is the largest type of possible memory dump. This contains a copy of all the data used by Windows in physical memory. So, if you have 16 GB of RAM and Windows is using 8 GB of it at the time of the system crash, the memory dump will be 8 GB in size. Crashes are usually caused by code running in kernel-mode, so the complete information including each program’s memory is rarely useful — a kernel memory dump will usually be sufficient even for a developer.

Kernel memory dump: A kernel memory dump will be much smaller than a complete memory dump. Microsoft says it will typically be about one-third the size of the physical memory installed on the system. As Microsoft puts it:

“This dump file will not include unallocated memory, or any memory allocated to user-mode applications. It only includes memory allocated to the Windows kernel and hardware abstraction level (HAL), as well as memory allocated to kernel-mode drivers and other kernel-mode programs.

For most purposes, this crash dump is the most useful. It is significantly smaller than the Complete Memory Dump, but it only omits those portions of memory that are unlikely to have been involved in the crash.”

Small memory dump (256 kb): A small memory dump is the smallest type of memory dump. It contains very little information — the blue-screen information, a list of loaded drivers, process information, and a bit of kernel information. It can be helpful for identifying the error, but offers less detailed debugging information than a kernel memory dump.

Automatic memory dump: This is the default option, and it contains the exact same information as a kernel memory dump. Microsoft says that, when the page file is set to a system-managed size and the computer is configured for automatic memory dumps, “Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time.” As Microsoft points out, crash dumps are an important consideration when deciding what size the page file should be. The page file must be large enough to contain the memory data.

(none): Windows won’t create memory dumps when it crashes.

choose-memory-dump-under-write-debugging-information

Memory Dumps Are For Developers

These dump files exist to provide you with information about the cause of the system crash. If you’re a Windows developer working on hardware drivers, the information in these memory dump files could help you identify the reason your hardware drivers are causing a computer to blue-screen and fix the problem.

But you’re probably just a normal Windows user, not someone developing hardware drivers or working on the Windows source code at Microsoft. Crash dumps are still useful. You might not need them yourself, but you may need to send them to a developer if you’re experiencing a problem with low-level software or hardware drivers on your computer. For example, Symantec’s website says that “Many times Symantec Development will need a Full Memory Dump from an affected system to identify the cause of the crash.” The crash dump may also be useful if you’re experiencing a problem with Windows itself, as you may need to send it to Microsoft. The developers in charge of the software can use the memory dump to see exactly what was going on on your computer at the time of the crash, hopefully allowing them to pin down and fix the problem.

Minidumps vs. Memory Dumps

Minidump files are useful to pretty much everyone because they contain basic information like the error message associated with a blue-screen of death. They’re stored in the C:\Windows\Minidump folder by default. Both types of dump files have the file extension .dmp.

Even when your system is configured to create an kernel, complete, or automatic memory dump, you’ll get both a minidump and a larger MEMORY.DMP file.

windows-minidumps

Tools like Nirsoft’s BlueScreenView can display the information contained in these minidmp files. You can see the exact driver files involved in a crash, which can help identify the cause of the problem. Because minidumps are so useful and small, we recommend never setting the memory dump setting to “(none)” — be sure to at least configure your system to create small memory dumps. They won’t use much space and will help you if you ever run into a problem. Even if you don’t know how to get information out of the minidump file yourself, you can find software tools and people who can use the information here to help pin down and fix your system problem.

nirsoft-bluescreenview

Larger memory dumps like kernel memory dumps and complete memory dumps are stored at C:\Windows\MEMORY.DMP by default. Windows is configured to overwrite this file each time a new memory dump it created, so you should only have one MEMORY.DMP file taking up space.

While even average Windows users can use minidumps to understand the cause of blue-screens, the MEMORY.DMP file is used more rarely and isn’t useful unless you plan on sending it to a developer. You probably won’t need to use the debugging information in a MEMORY.DMP file to identify and fix a problem on your own.

memory.dmp-file

Delete Memory Dumps To Free Up Space

You can delete these .dmp files to free up space, which is a good idea because they may be very large in size — if your computer has blue-screened, you may have a MEMORY.DMP file of 800 MB or more taking up space on your system drive.

Windows helps you automatically delete these files. If you use the Disk Cleanup utility and tell it to clean up system files, you’ll see both types of memory dumps appear in the list. CCleaner and other similar tools can automatically delete memory dumps, too. You shouldn’t need to dig into your Windows folder and delete them by hand.

disk-cleanup-memory-dumps


In short, larger memory dump files aren’t very useful unless you plan on sending them to Microsoft or another software developer so they can fix a blue-screen that’s occurring on your system. Smaller minidump files are more useful because they contain essential information about system crashes.

Image Credit: Thawt Hawthje on Flickr

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.