MiniDumpWriteDump and its MINIDUMP_TYPE type

Question

Not so long time ago we understood that even the release build can function incorrectly - can fall - can hang and etc. So we decided to implement dump creation procedure. All steps rather quickly have been found at Internet. But one - the main thing - is still not understandable for us.

MINIDUMP_TYPE according to MSDN supports 23 flags. But there is no deep technical explanation for next question: do they all independent in theirs fields of application? Or can they be used in pairs, triples? Can they all be used simultaneously? Can I use them in some groups (like for ex. some 3 flags - are generating practically the same dump as some other 5 flags.) I mean that when I will use for ex. 1+3 flag - it will be absolutely equal to using of flags 4+6+9. Or flag 1 or flag 3 or ... - is the superposition of all other flags? Or what? I want to understand all possible crossings between all available flags. Because maybe there is no practical sense to use flags 3+12+14 For ex, my current aim - is to create dump with absolutely all available data in memory. I should be able to look at all threads, all local-static-global-in_heap variables. I mean that when I will open some dump generated with combination of flags bla+bla+bla - it should be absolutely the same as in case when I can attach the debugger directly to the process. I should obtain all possible data!

P.S. MiniDumpWithFullMemory - does not give to me such ability((( Why? the word @FULL@ memory - does not mean FULL? it's only a part of what?

Answer 1

For future reference and since information is still only sparsely available: A similar question has already been asked, see What combination of MINIDUMP_TYPE enumeration values will give me the most 'complete' mini dump?. The answers mention the excellent albeit (a bit) outdated debugging resource DebugInfo.com pointing to the article http://www.debuginfo.com/articles/effminidumps.html#minidumptypes in particular. Note that new-ish flags (available since Windows 7 and possibly earlier versions such as Windows Vista) are indeed not being explained. There seems to be no comprehensive version history of MINIDUMP_TYPE flags and the minium version given by the API documentation does not always seem to be true as I have had issues in the past using flags such as MiniDumpWithFullMemoryInfo allegedly available since DbgHelp.dll 6.1 on Windows 7 until I upgraded DbgHelp.dll version 6.8 to (the most recent Windows 7) DbgHelp.dll version 6.12.

Windows 7 did introduce Windows Error Reporting (WER) and looking at the documentation of WerReportAddDump one will stumble (among others) across the WerDumpTypeHeapDump, which (as of 2020-07-27) seems to be equivalent to a minidump type of

MiniDumpWithDataSegs
 | MiniDumpWithProcessThreadData
 | MiniDumpWithHandleData
 | MiniDumpWithPrivateReadWriteMemory
 | MiniDumpWithUnloadedModules
 | MiniDumpWithFullMemoryInfo
 | MiniDumpWithThreadInfo
 | MiniDumpWithTokenInformation
 | MiniDumpWithPrivateWriteCopyMemory

with the last three flags apparently only being available since Windows 7 (and requiring a sufficiently recent DbgHelp.dll). This seems to be the most comprehensive dump that can be recorded by WER (ignoring custom dump types) and is probably a good starting point in terms of minimum information that should be recorded for post-mortem debugging as if a debugger was attached to the process beforehand.

Answer 2

A minidump contains a bunch of pieces that represent a process. The memory used by the process is only just a part of it. Metadata about the threads, handles, etc. are all additional pieces.

All this data is stored in separate "streams" within the .dmp file (a list of which can be seen here).

Selecting which of these streams to include are represented via a handful of the flags to MiniDumpWriteDump. A big chunk of the flags are then used to customize how much memory to include in the memory stream, this is just so that developers can minimize the size of the resulting file. For all the crash dumps that we generate, we typically use these MINIDUMP_TYPE flags:

MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithModuleHeaders | 
MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData | 
MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo

WinDbg has an undocumented command that you can use to dump out the internals of a crash dump file:

.dumpdebug

You can use this when viewing a crashdump file to see what streams were included, see all the modules, memory sections, etc.

Answer 3

With VS 2010 it doesn't recognize the MINIDUMP_TYPE flag MiniDumpWithModuleHeaders. The following flags work for me:-

MiniDumpWithFullMemory | MiniDumpWithHandleData | MiniDumpWithUnloadedModules |
MiniDumpWithUnloadedModules | MiniDumpWithProcessThreadData | 
MiniDumpWithFullMemoryInfo | MiniDumpWithThreadInfo | 
MiniDumpWithFullAuxiliaryState | MiniDumpIgnoreInaccessibleMemory |
MiniDumpWithTokenInformation