Viewing your KMDF log in a mini-dump (and other post mortem features)

Your KMDF driver log can also be available in a mini-dump under certain
circumstances. If you have a full kernel dump or a full memory dump, the log
will be always present (barring any memory corruption or problems writing out the
dump file). KMDF will attempt to write your driver’s log to the mini-dump if
one of the following are true:

  1. KMDF can determine if your driver is the cause of the bugcheck
  2. You added a registry setting which told KMDF to always write your log

As of v1.5, KMDF can determine if your driver is the cause of a bugcheck if
one of the bug check parameters contains a pointer which is within the loaded
driver’s memory range. KMDF could attempt to walk the stack to figure out if
the client is on the stack, but KMDF plays it safe. Walking the stack may cause
another fault, which could make it impossible to capture a dump (which is just
one possible thing that could go wrong). When the following bug check codes
occur, KMDF will attempt to determine if your driver was the cause of the bug check:

Code Value

At first glance, to get your log out of the mini-dump you would think that
you could use !wdflogdump to view the log. Unfortunately,
you can’t use this command because of the way that memory is stored in the mini-dump. Instead,
you need to run the !wdfcrashdump command. All
the other dump related commands (!wdfsearchpath, !wdftmffile)
still work in the mini-dump environment.

If you have a kernel debugger attached, you can also save the log explicitly.
The !wdflogsave [DriverName [FileName]] command will save the log for you
in a WPP compatible format (which you can open in a trace viewing app like TraceView).
If you do not specify [FileName], the log will be written to [DriverName].etl.

You can also force KMDF to always write your driver’s log file to the mini-dump.
To enable this feature, you must add the following registry value under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<your driver>\Parameters\WDF.
A value of zero (the default) turns the feature off, a non-zero value enables the

    ForceLogsInMiniDump : REG_DWORD

Comments (0)