Crash Dump Driver Stack

The crash dump driver stack, or just “crash dump stack”, refers to a series of drivers that work together to implement the crash dump mechanism in Windows.

A driver stack is a fundamental concept to the Windows Driver Model (WDM) and later driver frameworks present in the Windows operating system.  Simply put, a driver stack is a series of layered drivers that work together to complete a task.  An example is a mass storage driver stack that passes input/output (I/O) requests back and forth to complete operations.  Typical driver stacks that control physical hardware have several key components:

  • Port driver – an abstraction interface provided by the operating system; it hides underlying protocol details from class driver
  • Miniport driver – a manufacturer-supplied driver to interface with physical hardware (Host Bus Adapter/HBA); it is linked against a port driver for a specific transport technology
  • Class driver – a driver that abstracts the underlying technology of a category of devices that share similar qualities (e.g., cdrom.sys)

These types of drivers are present in any hardware stack in Windows – from network and mass storage devices to peripherals such as keyboards and mice.

The table below shows some common drivers found in the Windows crash dump driver stack.

Driver Name On Disk Driver Base Name in Memory Purpose
diskdump.sys dump_diskdump SCSI/Storport dump port driver with required exports from scsiport.sys and storport.sys. This driver is unloaded.
dumpata.sys dump_dumpata IDE/ATA dump port driver with required ataport.sys exports. This driver is unloaded.
scsiport.sys dump_scsiport The final SCSI/Storport dump port driver.
ataport.sys dump_ataport The final IDE/ATA dump port driver.
atapi.sys dump_atapi An older, generic ATAPI miniport driver provided by the OS for IDE/ATA drives
vmscsi.sys dump_vmscsi The miniport driver provided by VMWare for SCSI drives.
LSI_SAS.sys dump_LSI_SAS The miniport driver provided by LSI Corporation for serial-attached storage drives.
dumpfve.sys dump_dumpfve Windows full volume encryption crash dump filter driver
%d bloggers like this: