Part of VMware’s VMotion process copies all the guest system’s memory from one physical host to another over the network. Snapshots and VM Suspends will force a memory checkpoint making sure there is a persisted full copy of memory on disk. The point here is that the hypervisor is very much aware of the guest’s memory.
Without the hypervisor there are a few ways to capture data in RAM needed for some serious debugging. A single process is easy, just fire up the proper bitness of task manager.
If the Windows computer is actually crashing, you can have it automatically create a dump file. One requirement is enough space for the page file. http://blogs.technet.com/b/askcore/archive/2012/09/12/windows-8-and-windows-server-2012-automatic-memory-dump.aspx
If the problem you are trying to debug doesn’t crash your computer, you have a little more reading to do. https://support.microsoft.com/kb/969028 There are several tools including a registry entry for CTRL+Scroll and a PS utility who’s name I love: NotMyFault.exe
But wait! It gets better!
The hypervisor checkpoint process. Just hit the pause button on your VM and viola. Browse the datastore and download the .vmss file. VMware has kindly written a Windows version of it’s application to handle the conversion https://labs.vmware.com/flings/vmss2core To convert this .vmss file to a windbg memory dump file just run this command
vmss2core.exe -W C:\pathtodmp\vm_suspend.vmss
You can also perform this same process using a snapshot instead. This can be an even better option to avoid downtime if your guest is still mostly working.
Well, this is the point where I call in the experts. I generally do this to ship the file off for analysis by the developers of suspect code. As a teaser to some future posts, here are the ingredients we are going to have to collect:
The file we created is consumable by WinDBG http://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx
http://support.microsoft.com/kb/311503: Symbols help map out the functions
Commands for analysis in Windbg: http://msdn.microsoft.com/en-us/library/windows/hardware/ff564043(v=vs.85).aspx