Friday, November 13, 2015

Capturing a Memory Dump from a Hung Machine

We recently deployed McAfee's File and Removable Media Protection which seems to hang some Windows 7 machines. It is still early and it is possible that some of our other security products are interfering with McAfee's tool. The hard part is capturing some important diagnostic information, including a McAfee MER.

We are getting reports of the failures from computers more often from Europe. Those computers usually have just booted up within the first hour of work. When the computer hangs, the mouse is frozen and the computer will not respond to Ctrl-Alt-Del.

Here are some of the steps we needed to take to capture a full memory dump using a keyboard command. There are good articles on each step but I didn't find any articles that put them all together.

  1. Make sure the workstation is able to capture a full memory dump
    • Paging file needs to be bigger than the size of the RAM by at least 100 MB
    • Stop automatic reboots. This should ensure that the dump is written before rebooting.
    • Make sure to do a complete memory dump
  2. Set the computer to NMICrashDump to capture hardware failures in a BSOD
    • HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump
  3. Set the computer to crash on keyboard command
    • There are two keys to worry about depending on USB keyboard or PS/2 keyboads
    • HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters\CrashOnCtrlScroll
We have started playing with this McAfee KM article to see if it gives any relief.

One of the more distressing issues is that we cannot capture a memory dump, blue screen or otherwise, when McAfee FRP is fully installed. I am going to test if disabling the local driver will allow the capture shown above.