Imagine you’re a detective, investigating a murder. It’d probably help a lot if you could somehow examine the victim’s brain and see what their eyes were seeing when they died. Maybe you could find important clues as to who killed them.

Memory dump is kinda like that. It’s a record of a machine’s RAM’s state at the moment it crashed. Which drivers were loaded, what processes were running, what was cached, generally what and how the system was doing. You take a look at that to hopefully figure out what caused the crash.

Imagine you’re a detective, investigating a murder. It’d probably help a lot if you could somehow examine the victim’s brain and see what their eyes were seeing when they died. Maybe you could find important clues as to who killed them.

Memory dump is kinda like that. It’s a record of a machine’s RAM’s state at the moment it crashed. Which drivers were loaded, what processes were running, what was cached, generally what and how the system was doing. You take a look at that to hopefully figure out what caused the crash.

Imagine you’re a detective, investigating a murder. It’d probably help a lot if you could somehow examine the victim’s brain and see what their eyes were seeing when they died. Maybe you could find important clues as to who killed them.

Memory dump is kinda like that. It’s a record of a machine’s RAM’s state at the moment it crashed. Which drivers were loaded, what processes were running, what was cached, generally what and how the system was doing. You take a look at that to hopefully figure out what caused the crash.

[removed]

[removed]

[removed]

It is usually implemented directly in the OS kernel. Whenever a critical kernel driver does something it’s not supposed to do and crashes, the kernel cannot gracefully clean up and reload the crashed driver, so it loads the memory dump routine.

In this state the kernal does very little else, it just displays an error screen, writes down the entire snapshot of system memory into a predetermined location on the system disk and reboots once it’s done.

By reading out the dump file, engineers can look into the crash scene and determine what went wrong.

I’m borrowing [this image](https://textplain.files.wordpress.com/2016/09/image_thumb.png?w=750&h=260&zoom=2) from [this blog post](https://textslashplain.com/2016/09/05/troubleshooting-windows-10-bluescreens/)

You can see the call stack structure in the image, read from bottom up, it’s nt trying to do some IO transfer, likely something wifi related so it calls up the wifi driver bcmw163a.

Normally bcmw163a finishes what it’s being called for, then returns down to the kernel and the day continues.

But in this case bcmw163a fucks up, calls for a nonexistant address, triggering a page fault handled by nt kernel again to swap the page in.

The kernel driver memory space it resides in is never supposed to be paged, therefore the system rejects the page fault as nonsense. Now the OS has to deal with “page fault in nonpaged area”. This by Windows standards is a critical error, it is not safe to continue to operate if this error happened, the kernel is designed to call the “KeBugCheckEx” routine, which is the usual BSOD you see, it displays a summary of the error, writes down the whole memory to disk, then reboots.

It is usually implemented directly in the OS kernel. Whenever a critical kernel driver does something it’s not supposed to do and crashes, the kernel cannot gracefully clean up and reload the crashed driver, so it loads the memory dump routine.

In this state the kernal does very little else, it just displays an error screen, writes down the entire snapshot of system memory into a predetermined location on the system disk and reboots once it’s done.

By reading out the dump file, engineers can look into the crash scene and determine what went wrong.

I’m borrowing [this image](https://textplain.files.wordpress.com/2016/09/image_thumb.png?w=750&h=260&zoom=2) from [this blog post](https://textslashplain.com/2016/09/05/troubleshooting-windows-10-bluescreens/)

You can see the call stack structure in the image, read from bottom up, it’s nt trying to do some IO transfer, likely something wifi related so it calls up the wifi driver bcmw163a.

Normally bcmw163a finishes what it’s being called for, then returns down to the kernel and the day continues.

But in this case bcmw163a fucks up, calls for a nonexistant address, triggering a page fault handled by nt kernel again to swap the page in.

The kernel driver memory space it resides in is never supposed to be paged, therefore the system rejects the page fault as nonsense. Now the OS has to deal with “page fault in nonpaged area”. This by Windows standards is a critical error, it is not safe to continue to operate if this error happened, the kernel is designed to call the “KeBugCheckEx” routine, which is the usual BSOD you see, it displays a summary of the error, writes down the whole memory to disk, then reboots.

It is usually implemented directly in the OS kernel. Whenever a critical kernel driver does something it’s not supposed to do and crashes, the kernel cannot gracefully clean up and reload the crashed driver, so it loads the memory dump routine.

In this state the kernal does very little else, it just displays an error screen, writes down the entire snapshot of system memory into a predetermined location on the system disk and reboots once it’s done.

By reading out the dump file, engineers can look into the crash scene and determine what went wrong.

I’m borrowing [this image](https://textplain.files.wordpress.com/2016/09/image_thumb.png?w=750&h=260&zoom=2) from [this blog post](https://textslashplain.com/2016/09/05/troubleshooting-windows-10-bluescreens/)

You can see the call stack structure in the image, read from bottom up, it’s nt trying to do some IO transfer, likely something wifi related so it calls up the wifi driver bcmw163a.

Normally bcmw163a finishes what it’s being called for, then returns down to the kernel and the day continues.

But in this case bcmw163a fucks up, calls for a nonexistant address, triggering a page fault handled by nt kernel again to swap the page in.

The kernel driver memory space it resides in is never supposed to be paged, therefore the system rejects the page fault as nonsense. Now the OS has to deal with “page fault in nonpaged area”. This by Windows standards is a critical error, it is not safe to continue to operate if this error happened, the kernel is designed to call the “KeBugCheckEx” routine, which is the usual BSOD you see, it displays a summary of the error, writes down the whole memory to disk, then reboots.