How to trigger a full memory dump based on a user mode process exception
Scenario: You have something kernel related triggering crashes of user mode processes (you think). You are trying to prove it. You're told you need a full memory dump of the system at time of the crash of the user mode process.
How to do it?
Glad you asked! <edit>
(to back this out, delete the task, if something goes wrong and it boots in a crash loop, booting in safe mode should stop it too)
Step .5: Logon with an administrative rights account. :)
Step 1: Follow KB969028 so you are configured properly for a full memory dump.
Step 2: Download NotMyFault from here. Unzip to C:\notmyfault. Unblock the exe and sys files (if needed) by right clicking and selecting properties then selecting "Un-block":
Step 3: Run task scheduler and select "Create Basic Task..." in the right Actions pane:
Step 4: Give your basic task a clever name. Mine is 'crashme'. Click next.
Step 5: Answer the radio button question with "When a specific event is logged". See where I'm going with this?
Step 6: Set Log to Application, Source to Application Error and Event ID to 1000, as seen below:
Step 7: Select Next as we want "Start a program" selected and it's the default.
Step 8: Browse to C:\notmyfault\x<your system architecture here>\NotMyFault.exe. Add /crash as your argument and Start in should be "C:\notmyfault\<xwhatever>. As seen below for x64:
Step 9: check the box to open the task properties and click Finish.
Step 10: Check the box "run with highest privileges" and on the Settings tab uncheck "Stop the task if it runs longer than" box and click Ok.
Step 11: Wait for your app to crash. Enjoy.