The other day I was assisting a co-worker who needed a memory dump of a Windows virtual machine. He was working with Microsoft support and the support engineer mentioned that the process for gathering this data was different since we were using a virtual machine. I Googled vmware windows memory dump and found VMware KB 1001624, which links to a Microsoft KB article that documents how to make CTRL+ScrollLock+ScrollLock cause a blue screen (which creates a memory dump). This process works the same on both physical and virtual servers.
While that is a fun setting, and has a possible April Fools use case, it doesn’t really help troubleshoot issues. Using this option, the memory dump is caused by the user and requires an outage is required (a reboot to enable the registry key and a blue screen to create the memory dump).
The tool the Microsoft engineer was talking about is vmss2core.exe and it ships with VMware Workstation. I haven’t had a chance to use it in the past, but it is very simple. Here are the steps I used to test this process:
- Create a snapshot of a virtual machine with the ‘snapshot the virtual machines memory’ option selected.
- Browse to the virtual machine’s folder on the VMFS or NFS volume and download the ‘-snapshot1.vmsn’ file to a temporary directory.
- Copy the ‘vmss2core.exe’ file from a VMware Workstation installation to this temporary directory.
- Run the following command (where ‘w2k3test01-snapshot1.vmsn’ is the name of your snapshot file):
vmss2core.exe w2k3test01-snapshot1.vmsn -W
This process creates a memory.dmp file in the current directory. This file can be analyzed to determine what was running at the time of the snapshot creation. Note: the vmsn file is slightly larger than the amount of vRAM allocated to the virtual machine and the memory dump is equal to the amount of RAM installed. For a VM with 8GB of RAM you’ll need at least 16GB of disk space to complete this process.
How do I open these memory.dmp files to verify they are working? I’m glad you asked. I found a Network World post from 2005 that outlines the process: http://www.networkworld.com/news/2005/041105-windows-crash.html. You only need to download and install two applications (note: a few dependencies exist for these apps, such as the .NET Framework).
These downloads are free and give you the tools to open/review a crash dump. I don’t have the detailed understanding on how to work with these files, but I wanted to make sure the memory.dmp export worked correctly before sending an 8GB file to Microsoft for analysis.