I’m working with Microsoft to identify a problem I’m seeing with LSASS, possibly related to the VSS snapshot created by our backup software. At this point, I need to be able to capture the memory state on the system, even if I can’t log into the box.
There are several ways to trigger a crash in order to collect a memory dump, but this system is a guest running in VMWare VSphere (ESX4). I asked VMWare support, and they pointed me to KB article 1009187, Generating a Windows core dump from an ESX virtual machine.
I configured my test system guest to crash and collect a memory dump on an NMI event, then used the vmdumper command to send the NMI to the guest.
It worked like a champ:
I verified the integrity of the dump file with dumpchk. It looks good. I’m setting the same thing up on my production guest.
