Configuration

The crash dump stack is configured through various settings in the registry.  The kernel function IoConfigureCrashDump(), which is called explicitly during the crash dump stack pre-initialization phase during kernel initialization and implicitly whenever NtSetSystemInformation(), PoBroadcastSystemState() or PoShutdownBugCheck() is called, reads the crash dump settings from the registry and stores this information in a global data structure.  The completed global data structure is used during pre-initialization of the crash dump stack.  After Windows Vista, the registry-reading code is located in crashdmp.sys (crashdmp!ReadRegistrySettings).

The table below captures all registry settings, as of Windows 8, that control hibernation and crash, as found through reversing relevant components.  Keys and value names that are not user-driven (but rather are generated by an operating system component) are also included for purposes of thoroughness.

HKLMSystemCurrentControlSetControlCrashControl

Value Name Valid Values Used In Purpose
Autoreboot 0 or 1 Kernel If set to 1, the system will automatically reboot after a crash.
MinidumpDir Valid path Smss.exe Path to store minidumps.
MinidumpsCount Number Smss.exe The maximum number of minidumps to store before overwriting the oldest.
Overwrite 0 or 1 Smss.exe
DumpFile N/A crashdmp.sys This value name is set to the location of the last dump file generated by the crash stack.
TempDestination N/A crashdmp.sys Temporary location for the dump file if needed
MachineCrash N/A crashdmp.sys A volatile key generated when a crash occurs.
DedicatedDumpFile Valid file crashdmp.sys Specifies the full path and file name to a file to be used as the crash dump file.  The value cannot be longer than 150 characters.
DumpFileSize Valid size crashdmp.sys Specifies the size of the dump file.
DumpFilters String crashdmp.sys Contains a null-terminator separated list of driver names.
CrashDumpEnabled 0-7 crashdmp.sys Sets the dump type, see mapping table below
LogEvent > 0 crashdmp.sys Sets dump type to 4, only if CrashDumpEnabled is not set. Purpose not exactly known.
SendAlert > 0 crashdmp.sys Same as LogEvent
ResumeCapable -1 (0xFFFFFFFF) or 1 crashdmp.sys Enables (1) or disables (-1) the resume feature
EnableLogFile >= 0 crashdmp.sys Enables (1) or disables (0) the dumpstack.log file
DumpLogLevel -1, >= 1 crashdmp.sys Sets the log level, which has an effect on the dump log size.  See this page for details.
SimulateError Any value! crashdmp.sys A numeric value used in error simulation.  The value passed from the registry is stored unchecked in the dump context structure and referenced later.
SimulateNotReady Any value crashdmp.sys Any value in this key will result in the dump context structure Flags member being OR’d with 8 (SimulateNotReady bit).  See the table below for possible values of the Flags member.
Flags Bitmask crashdmp.sys The value passed in this registry key controls a bitmask flag in the dump context structure.  Please see the bit definition of this field below.
StorageTelemetryDeviceDumpEnabled Any nonzero value crashdmp.sys Turns on drive telemetry collection.  Please see section below.
StorageTelemetryStorageTCCode_[N] Any value! crashdmp.sys Sets values for specific telemetry collection codes.  Please see section below.

Crash dump types

The default values for some variables can change based on values supplied in the registry.  The table below attempts to capture this mapping.

Value of CrashDumpEnabled Resulting Dump Type
1 5
2 6
3 4
4 4
7 6

Dump type definitions are shown below.  Note that only 4, 5 and 6 are the only usable dump types.

Value Dump Type
0 Unknown
1 Full
2 Summary
3 Header
4 Triage
5 Bitmap – Full
6 Bitmap – Kernel
7 Automatic (defaults to Bitmap – Kernel)

Dump flags

The dump context structure has a flags field, some of whose bits are controllable from the registry settings outlined above.  The bit layout is shown below.

dump-context-flag-bitmask

Drive Telemetry

The registry key HKLMCCSControlCrashControlStorageTelemetry controls a diagnostic feature present in the crashdmp.sys driver for Windows 8.  By creating a value name beneath this key in the format StorageTCCode_[N], where [N] is a number specified in the DeviceDumpEnabled value name, the crashdmp.sys driver will read up to 8 collection codes starting from the value specified in [N].  The values stored in the registry value names named in this manner will be stored in the dump context structure and used during crash/hibernate to collect diagnostic metrics.  The driver maintains a global buffer to store telemetry data and registers a bugcheck callback routine (CrashdmpDriveTelemetryCallback).

It is not clear what these diagnostics actually accomplish.

%d bloggers like this: