RSS

Guest Memory Dump From the Hypervisor

07 Feb

Part of VMware’s VMotion process copies all the guest system’s memory from one physical host to another over the network. Snapshots and VM Suspends will force a memory checkpoint making sure there is a persisted full copy of memory on disk. The point here is that the hypervisor is very much aware of the guest’s memory.

Without the hypervisor there are a few ways to capture data in RAM needed for some serious debugging. A single process is easy, just fire up the proper bitness of task manager.

process_dump

If the Windows computer is actually crashing, you can have it automatically create a dump file. One requirement is enough space for the page file. http://blogs.technet.com/b/askcore/archive/2012/09/12/windows-8-and-windows-server-2012-automatic-memory-dump.aspx

If the problem you are trying to debug doesn’t crash your computer, you have a little more reading to do. https://support.microsoft.com/kb/969028 There are several tools including a registry entry for CTRL+Scroll and a PS utility who’s name I love: NotMyFault.exe

But wait! It gets better!


The hypervisor checkpoint process. Just hit the pause button on your VM and viola. Browse the datastore and download the .vmss file. VMware has kindly written a Windows version of it’s application to handle the conversion https://labs.vmware.com/flings/vmss2core To convert this .vmss file to a windbg memory dump file just run this command

vmss2core.exe -W C:\pathtodmp\vm_suspend.vmss

You can also perform this same process using a snapshot instead. This can be an even better option to avoid downtime if your guest is still mostly working.

Now What?


Well, this is the point where I call in the experts. I generally do this to ship the file off for analysis by the developers of suspect code. As a teaser to some future posts, here are the ingredients we are going to have to collect:

The file we created is consumable by WinDBG http://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx

http://support.microsoft.com/kb/311503: Symbols help map out the functions

Commands for analysis in Windbg: http://msdn.microsoft.com/en-us/library/windows/hardware/ff564043(v=vs.85).aspx

Advertisements
 
Leave a comment

Posted by on February 7, 2014 in Virtual

 

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: