Use LiveKD to get dump out of VM

There is a way to extract memory content  and analyzed from snapshots and saved states from Hyper-V. Hyper-V saves this information in files with the extensions *.vsv and *.bin.  To convert these files to a usable dump full memory dump (*.dmp) compatible to Debugging Tools for Windows,  the “Hyper-V VM State to Memory Dump Converter” (vm2dmp.exe) was released in January 2010 (http://archive.msdn.microsoft.com/vm2dmp).

Unfortunately this tool is no longer available at the portal .To understand how it works & used to work, please check following blog  VM2DMP Hyper-V VM State to Memory Dump Converter

However, this tool works only on files created with Hyper-V Version 1 & 2 (Hyper-V/Windows Server 2008 & R2). When snapshots or saved states created on Hyper-V 2012 or 2012 R2 are tried being converted, the tool will fail.

More about these files extension: Understanding where your virtual machine files are [Hyper-V]

However we can use LiveKD, this is a very good option to use and a dump can be taken without changing the state of the machine , I hope it may help us in our current scenario .

Steps to configure memory dump using LiveKD

1.) Install “Debugging Tools for Windows” on the virtual server host machine (not the VM).

  • Install the debugging tools for windows from http://msdn.microsoft.com/en-US/windows/desktop/bg162891 (Windows Software Development Kit (SDK) for Windows 8.1)
  • Click on Download now. Then select “Run” as this is the installer package, not the actual debugging tools application.
  • On the page for “Select features”
  • Uncheck everything except for “Debugging Tools for Windows”
  • Click install.
  • Alternatively, you can install this on a workstation and copy “Debuggers” folder from “C:\Program Files (x86)\Windows Kits\8.1” to the server.

2.) Install “LiveKD”

3.) Configure environmental variables.

  • Open a command prompt with admin privilege and run the following command to set the symbol path.
_NT_SYMBOL_PATH=c:\symbols;srv*c:\symbols*http://msdl.microsoft.com/download/symbols;

4.) Dump the VM with LiveKD.

Navigate to the “x64” folder on command prompt and use following command  to get a memory dump of a Virtual Machine (TargetVM is the name of the VM)

LiveKD -p -hv {TargetVM} -o c:\TargetVM.DMP

Screen Shot 2016-06-21 at 4.28.49 PM

-o      Saves a memory.dmp to disk instead of launching the debugger

-p      Pauses the target Hyper-V VM while LiveKD is active

(recommended for use with -o).

-hv     Specifies the name or GUID of the Hyper-V VM to debug.

-hvl    Lists the names and GUIDs of running Hyper-V VMs.

Please note that the server will be in paused state until the memory dump is collected.

Screen Shot 2016-06-21 at 4.28.49 PM

How to live debug a VM in Hyper-V

Other Alternate Methods to take a dump of Hyper-V VM is NMI

Coming soon: How to generate a kernel or a complete memory dump file in Windows Server 2012 and Windows Server 2012 R2

“Notmyfault”,  Use this executable and driver to crash your system in several different ways.


Advertisements