Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

All Products: How to Create a Full/Complete Memory Dump Via Keyboard

All Products: How to Create a Full/Complete Memory Dump Via Keyboard

Environment

  • All Carbon Black Products
  • Microsoft Windows: All Supported Versions

Objective

To configure a Windows endpoint to generate Windows crash / memory dump reports using the keyboard. 

Resolution

  1. Open Run or Command Prompt
  2. Type SystemPropertiesAdvanced and press ENTER.
  3. Under Startup and Recovery section, click Settings
  4. Under System Failure > Write debugging information select Complete memory dump
  5. Check Overwrite any existing file and make any desired changes to the "Dump file:" location
  6. Click OK to save the settings and exit the Startup and Recovery window
  7. Click OK to save and exit the System Properties window
  8. Follow the procedure in this Microsoft article to enable keyboard crashing:

 

Additional Notes

  • The default location for the resulting crash dump file is C:\Windows\Memory.dmp
  • Resulting memory dumps can be provided to Carbon Black using CB Vault
  • This process is useful in situations where the endpoint is unresponsive (ie, "hung")
  • Some keyboards (such as on some laptop models) may not have a SCROLL LOCK button. If this is the case, it's recommended to plug in an external keyboard that has that key and trigger the crash dump that way. 
  • Alternatively, if an external keyboard is not available, the hex values in the reg files can be modified to represent other available keys.

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎08-30-2017
Views:
2090
Contributors