How Can I Read a DMP File?

By Michael G. Sanchez

Every computer user knows that frustrated, sinking feeling that occurs when a system crash strikes. System crashes happen without warning and result in slashed productivity, exasperated users, and sometimes lost work. A "dump" is a record of the computer's state at the moment of a crash. Dump files are automatically generated by Windows when a crash occurs. They are used by developers and advanced users to help figure out what caused the crash. DMP is the file extension Windows uses for dump files.

DMP File Data Format

There are three types of memory dumps that can be generated by Windows. The first, and largest, is called a complete memory dump. When this type of dump is created, the total contents of memory are written to a DMP file. The second, and notably smaller, dump type is the kernel memory dump. As its name implies, a kernel memory dump records only the kernel memory. Unallocated memory and any memory allocated to user-mode programs is ignored. This makes analyzing the dump file easier and less time-consuming than with a complete memory dump. The third and most compact type of dump, called a small memory dump, generates a DMP file that is just 64 kilobytes in size. It includes only the following information: the Stop message and its parameters, a list of loaded drivers, the processor context (PRCB) for the stopped processor, the process information and kernel context (EPROCESS) data, the process data and kernel context (ETHREAD) for the stopped thread, and the Kernel-mode call stack for the stopped thread.

How to Locate a DMP File

By default, complete memory dumps and kernel memory dumps are both written to %SystemRoot%\Memory.dmp. Windows only saves one of these dump files at a time. When a new crash occurs, the existing DMP file is overwritten. DMP files generated by a small memory dump, however, are saved in the %SystemRoot%\Minidump directory. Unlike other dump types, existing small memory dump files are not overwritten when new ones are generated. Windows automatically includes the date in the filename of small memory dump DMP files. For instance, a DMP file with the name "mini043014-01.dmp" was created on April 30, 2014. The "-01" following the date in the filename indicates that it was the first DMP file created on that day.

Opening & Viewing a DMP file

There are two main software applications used to open and view DMP files: Windows Debugging Tools and the Dump Check Utility, also called Dumpchk. Windows Debugging Tools is the best option for examining complete memory dumps and kernel memory dumps, while Dumpchk is ideal for looking at small memory dumps. Both applications can be downloaded for free from Microsoft's website. Since the exact URLs may change over time, it is best to search for the programs by name at and then download from the resulting links. To examine a DMP file using Windows Debugging Tools, open a command prompt and navigate to the folder where you installed Windows Debugging Tools. Then, enter one of the following commands to open the file:windbg -y SymbolPath -i ImagePath -z DumpFilePathkd -y SymbolPath -i ImagePath -z DumpFilePathThe first command will open the DMP file in Window's GUI debugger, while the second command will open it in a text-based interface. The SymbolPath parameter refers to the location of the debugging symbols on your hard drive. The ImagePath parameter refers to the location of your image files. Finally, the DumpFilePath parameter is the location of your DMP file. To open a DMP file in Dumpchk, simply type the following command into a command prompt:dumpchk DumpFilePath

Analyzing the Contents of a DMP File

Windows Debugging Tools offer a number of helpful commands for analyzing DMP files. The !analyze -show command outputs the Stop error code and its parameters. This is useful for figuring out what, exactly, directly led to the crash. The !analyze -v command displays the same information as verbose output. The lm N T command displays a list of loaded modules at the time of the crash.Compared to Windows Debugging Tools, Dumpchk is a fairly simple utility. It is primarily used to verify the integrity of dump files and to view them. To test a dump file for errors, you can use the -e command line extension. For example, you would type the following at the command line: dumpchk -e DumpFilePathOther Dumpchk options include -v, which turns on verbose mode, -p, which outputs the DMP header only, and -c, which performs a quick dump validation.