How to Capture a Memory Dump from a Provisioned Target in VMware Environment

book

Article ID: CTX125086

calendar_today

Updated On:

Description

This article outlines the process to generate a memory dump file from a provisioned target device in a VMware environment, then using vmss2core tool convert snapshot to .dmp file, which can be analyzed in windbg.


This is a three-step process of which neither steps require any modification to the virtual machine.

 

Instructions

Prerequisites:
 

Obtain vmss2core
Please refer https://kb.vmware.com/s/article/2003941
Retrieve files vmss2core.exe and zlib1.dll from VMware workstation installation folder
C:\Program Files (x86)\VMware\VMware Workstation 
or
C:\Program Files\VMware\VMware Workstation\

Note: If vmss2core is not available in these install directories, it can be downloaded. Download location is available in https://archive.org/download/flings.vmware.com/Flings/Vmss2core/


Change Disk Mode to Exclude Virtual Disks from Snapshots in the vSphere Client.
Required privileges:
  • Virtual machine > State > Remove Snapshot
  • Virtual machine > Configuration > Modify device settings
  • Virtual machine > Configuration > Extend virtual disk 
Procedure:
  1. Power off the virtual machine and delete any existing snapshots before you change the disk mode. Deleting a snapshot involves committing the existing data on the snapshot disk to the parent disk.
  2. Select Inventory > Virtual Machine > Edit Settings.
  3. Click the Hardware tab and select the hard disk to exclude.
  4. Under Mode, select Independent > Persistent.

Complete the following procedure to capture memory dump:

  1. After the provisioned target virtual machine is in an unresponsive state, proceed to suspend the virtual machine.

    Note: Suspending a virtual machine writes the state to a file with a .vmss extension. By default, the .vmss file is stored in the directory in which the virtual machine configuration files (.vmx) are stored.

  2. Copy the .vmss file from the datastore to a local disk.
    The size of the .vmss file is equivalent to the total memory assigned to the virtual machine.

     

    The utility to convert the file from .vmss file to a dump file format is located in the <Program Files>\VMware\VMware Workstation folder on the device that VMware workstation 7 is installed.

  3. Run the following command to begin the conversion process:
    vmss2core –W filename.vmss 
vmss2core –W filename.vmss filename.vmem (when both the files need to be supplied as per https://kb.vmware.com/s/article/2003941)

Note: Command is case sensitive.

IMPORTANT: If you are trying to convert a .vmss file to a dump file for  Windows 8 or Windows 2012 operating system you must use the "-W8" switch instead of just "-W"

Example:
vmss2core –W8 filename.vmss

If not you will get the error message:
"Error Parsing Windows data
Cannot create memory dump"

Note: If there is a .vmem file with the same date and time as the .vmss, then retrieve both. For example, a Blue Screen error generates the two files and both must be passed as parameters.

After completion, a new file is created with the name memory.dmp, which represents the state of the virtual machine at the time it was suspended. This file can be used with windbg or any other debugging tools that reads dump files.

Executing vmss2core lists the following optional parameters: 
-q Quiet(er) operation
-M Create core file with physical memory view (vmss.core).
-l str Offset stringset expressed as 0xHEXNUM,0xHEXNUM,... .
-N Red Hat crash core file for arbitrary Linux version described by the "-l" option (vmss.core).
-N4 Red Hat crash core file for Linux 2.4 (vmss.core).
-N6 Red Hat crash core file for Linux 2.6 (vmss.core).
-P Print list of processes in Linux VM.
-P<pid> Create core file for Linux process <pid> (core.<pid>).
-W Create WinDbg file (memory.dmp) with commonly used build numbers ("2195" for Win32, "6000" for Win64).
-W<num> Create WinDbg file (memory.dmp), with <num> as the build number (for example: "-W2600").
-WDDB<num> Create WinDbg file (memory.dmp), with <num> as the debugger data block address in hex (for example: "-W12ac34de").
 
-WSCAN  Create WinDbg file (memory.dmp) and scan all of memory for the debugger data block (instead of just low 256 MB).

For Mac OS guests:

      -X32-0 for Darwin Kernel Version 9.0.0: Tue Oct  9 21:35:55 PDT 2007
      -X32-1 for Darwin Kernel Version 9.1.0: Wed Oct 31 17:46:22 PDT 2007
      -X32-2 for Darwin Kernel Version 9.2.0: Tue Feb  5 16:13:22 PST 2008
      -X32-3 for Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008
      -X32-4 for Darwin Kernel Version 9.4.0: Mon Jun  9 19:30:53 PDT 2008
      -X32-5 for Darwin Kernel Version 9.5.0: Wed Sep  3 11:29:43 PDT 2008
      -X64-0 for Darwin Kernel Version 10.0.0b3: Thu Jul  2 17:35:43 PDT 2
      -X64-1 for Darwin Kernel Version 10.0.0b1: Fri May 29 00:01:05 PDT 2
      -X64-2 for Darwin Kernel Version 10.0.0b4: Sat Jul 11 02:48:32 PDT
 

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Issue/Introduction

This article describes how to capture a memory dump from a provisioned target device in VMware vSphere.
Powered by Wolken Software