How to capture a full memory dump from a PVS target running on Azure

How to capture a full memory dump from a PVS target running on Azure

book

Article ID: CTX463612

calendar_today

Updated On:

Description

This article will cover the steps necessary to prepare an Azure VM running PVS to be able to capture a full memory dump

Instructions

In order to prepare the VM to capture a full memory dump changes will need to be made to the registry of the target vdisk.  These changes can be done with the vdisk in a read/write state.  This can be accomplished by putting the vdisk in private mode or creating a new maintenance version.  In the event that vdisk is not accessible due a BSOD shortly after machine reached the Windows login screen the changes can also be made my mounting the vdisk in the PVS console and then loading the SYSTEM registry hive from the mounted vdisk.

Mount the vdisk in the PVS Console
  • Open the PVS Console
  • Find the vdisk in either vDisk Pool or in a specific store
  • Right Click the vdisk and choose "Mount vDisk"
image.png

image.png

Open the regisry and load the SYSTEM registry hive
  • Launch regedit.exe from a run or command line
  • Highlight HKEY_LOCAL_MACHINE
  • Click File > Load Hive
  • Navigate to the \Windows\System32\config folder of the mounted vdisk drive and load the SYSTEM file
  • Give the Hive a name such as the name of the vdisk
  • Expand the new Hive to the Computer\HKEY_LOCAL_MACHINE\Windows10\ControlSet001\Control\CrashControl Key
image.png
image.png
image.png
image.png

image.png
Once you are in the CrashControl Key (either through Computer\HKEY_LOCAL_MACHINE\Windows10\ControlSet001\Control\CrashControl or Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl)  make the following registry changes

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled = 1
DedicatedDumpFile = "Path to the write cache drive"\DedicatedDumpFile.sys
DumpFile = "Path to the write cache drive"\MEMORY.DMP
DumpFileSize = 0
NMICrashDump = 1

On the next boot of that vdisk Windows will generate a full memory dump when a BSOD event occurs.  You can also trigger a NMI BSOD from the Serial Console for that VM in Azure by clicking the "Send Non-Maskable Interrupt (NMI)"

image.png

 

Additional Information

Additional Considerations:

Cache Disk - Disk space is required to handle the dedicateddumpfile.sys and memory.dmp, both will be the size of RAM.

Formula for disk space calculation:
Cache disk size requires 2x RAM + 512k (dedicateddump.sys & memory.dmp) + PageFile size + Redirected data footprint = Amount of cache disk required to capture a good memory dump
Note: redirected data includes, event logs, outlook files or any other data intentionally redirected here, you will need to consider this additional data when determining your calculations.

For Example: a VM w/ 8GB RAM + 2GB PageFile + 1GB Redirected event logs would need a cache drive that is at least 19.5GB w/ 16.5GB free space.

https://support.citrix.com/article/CTX322727/citrix-provisioning-services-full-system-memory-dump-from-any-windows-target-device

https://docs.microsoft.com/en-US/windows/client-management/generate-kernel-or-complete-crash-dump ​​​​​​​

Powered by Wolken Software