From time to time, computer systems are known, for whatever reason, to crash. Most commercial operating systems comprise a facility for writing the content of memory prevailing at the time of a hardware or software crash to a nonvolatile storage such as, for example, an HDD. This is known within the art as a memory dump. Microsoft Windows XP, for example, can be configured to write debugging information to three different file formats, which are known as memory dump files, when a computer unexpectedly stops. The three types of memory dump are known as (1) a complete memory dump, (2) a kernel memory dump and (3) a small memory dump.
A complete memory dump records all content of the system memory when the computer unexpectedly stops. One skilled in the art understands that such a complete memory dump requires a paging file that is sufficient to hold the content of the physical RAM plus additional space to store metadata for reading the dump.
A kernel memory dump is arranged in response to the computer stopping unexpectedly to record only the content of the kernel memory. It will be appreciated that this reduces the time taken to record debugging information as compared to the complete memory dump. One skilled in the art appreciates that the kernel memory dump requires (1) an amount of storage space on the HDD that is greater than the size of the kernel occupied memory, (2) a paging file of at least one third of the size of the physical memory of the computer and (3) extra space for metadata to be available on the dump volume, that is, the volume on which such a memory dump is stored. It will be appreciated that the kernel memory dump does not include the content of unallocated memory or any memory that is allocated to user mode programs. It includes only memory that is allocated to the kernel and memory allocated to kernel mode drivers and other kernel mode programs. As compared to the complete memory dump, the kernel memory dump is significantly smaller and represents an attempt to omit the need to record data for those parts of memory that are unlikely to have been the cause of, or to be associated with, the crash.
A small memory dump is arranged to record a much smaller set of useful information to help identify the reason behind the system crash. Typically, a small memory dump requires a paging file of approximately 2 MB on the dump volume.
One skilled in the art appreciates that the physical memory capacity of computers can be substantial. For high-end configurations, systems are available with many gigabytes of memory and some systems comprise terabytes of physical memory. It will be appreciated that the write times of HDDs are significantly slower than the write times for physical memory. Therefore, for a machine with about 256 GB of physical memory, it can take many hours to perform a memory dump in response to a system stopping unexpectedly, during which the machine might be unavailable. It will be appreciated that it is unacceptable within today's commercial computing environment to have such high-end hardware or computing facilities unavailable for such significant periods of time.
It is an object of the present invention to at least mitigate one or more of the problems of the prior art.