The crash dump stack is configured through various settings in the registry. The kernel function IoConfigureCrashDump(), which is called explicitly during the crash dump stack pre-initialization phase during kernel initialization and implicitly whenever NtSetSystemInformation(), PoBroadcastSystemState() or PoShutdownBugCheck() is called, reads the crash dump settings from the registry and stores this information in a global data structure. The completed global data structure is used during pre-initialization of the crash dump stack. After Windows Vista, the registry-reading code is located in crashdmp.sys (crashdmp!ReadRegistrySettings).
The table below captures all registry settings, as of Windows 8, that control hibernation and crash, as found through reversing relevant components. Keys and value names that are not user-driven (but rather are generated by an operating system component) are also included for purposes of thoroughness.
|Value Name||Valid Values||Used In||Purpose|
|Autoreboot||0 or 1||Kernel||If set to 1, the system will automatically reboot after a crash.|
|MinidumpDir||Valid path||Smss.exe||Path to store minidumps.|
|MinidumpsCount||Number||Smss.exe||The maximum number of minidumps to store before overwriting the oldest.|
|Overwrite||0 or 1||Smss.exe|
|DumpFile||N/A||crashdmp.sys||This value name is set to the location of the last dump file generated by the crash stack.|
|TempDestination||N/A||crashdmp.sys||Temporary location for the dump file if needed|
|MachineCrash||N/A||crashdmp.sys||A volatile key generated when a crash occurs.|
|DedicatedDumpFile||Valid file||crashdmp.sys||Specifies the full path and file name to a file to be used as the crash dump file. The value cannot be longer than 150 characters.|
|DumpFileSize||Valid size||crashdmp.sys||Specifies the size of the dump file.|
|DumpFilters||String||crashdmp.sys||Contains a null-terminator separated list of driver names.|
|CrashDumpEnabled||0-7||crashdmp.sys||Sets the dump type, see mapping table below|
|LogEvent||> 0||crashdmp.sys||Sets dump type to 4, only if CrashDumpEnabled is not set. Purpose not exactly known.|
|SendAlert||> 0||crashdmp.sys||Same as LogEvent|
|ResumeCapable||-1 (0xFFFFFFFF) or 1||crashdmp.sys||Enables (1) or disables (-1) the resume feature|
|EnableLogFile||>= 0||crashdmp.sys||Enables (1) or disables (0) the dumpstack.log file|
|DumpLogLevel||-1, >= 1||crashdmp.sys||Sets the log level, which has an effect on the dump log size. See this page for details.|
|SimulateError||Any value!||crashdmp.sys||A numeric value used in error simulation. The value passed from the registry is stored unchecked in the dump context structure and referenced later.|
|SimulateNotReady||Any value||crashdmp.sys||Any value in this key will result in the dump context structure Flags member being OR’d with 8 (SimulateNotReady bit). See the table below for possible values of the Flags member.|
|Flags||Bitmask||crashdmp.sys||The value passed in this registry key controls a bitmask flag in the dump context structure. Please see the bit definition of this field below.|
|StorageTelemetryDeviceDumpEnabled||Any nonzero value||crashdmp.sys||Turns on drive telemetry collection. Please see section below.|
|StorageTelemetryStorageTCCode_[N]||Any value!||crashdmp.sys||Sets values for specific telemetry collection codes. Please see section below.|
Crash dump types
The default values for some variables can change based on values supplied in the registry. The table below attempts to capture this mapping.
|Value of CrashDumpEnabled||Resulting Dump Type|
Dump type definitions are shown below. Note that only 4, 5 and 6 are the only usable dump types.
|5||Bitmap – Full|
|6||Bitmap – Kernel|
|7||Automatic (defaults to Bitmap – Kernel)|
The dump context structure has a flags field, some of whose bits are controllable from the registry settings outlined above. The bit layout is shown below.
The registry key HKLMCCSControlCrashControlStorageTelemetry controls a diagnostic feature present in the crashdmp.sys driver for Windows 8. By creating a value name beneath this key in the format StorageTCCode_[N], where [N] is a number specified in the DeviceDumpEnabled value name, the crashdmp.sys driver will read up to 8 collection codes starting from the value specified in [N]. The values stored in the registry value names named in this manner will be stored in the dump context structure and used during crash/hibernate to collect diagnostic metrics. The driver maintains a global buffer to store telemetry data and registers a bugcheck callback routine (CrashdmpDriveTelemetryCallback).
It is not clear what these diagnostics actually accomplish.