This tutorial will show you how to create a live kernel dump file in Windows 11.
A live kernel dump creates a consistent snapshot of kernel memory and saves it to a dump file without having to restart the computer.
The goal of kernel live dump is to gather data to trouble shoot an abnormal situation, but allow the OS to continue operation. This reduces downtime when compared to a bug check for “non-fatal” but high-impact failures and hangs. Kernel live dumps are used when it is possible to recover the OS to a known good state.
Starting with Windows 11 build 22621.1928, Microsoft added a set of new developer-focused features in Task Manager to aid the collection of live kernel memory dumps (LKDs). This is in addition to the existing “Memory dump” for user mode processes. The goal of kernel live dump is to gather data to troubleshoot an abnormal situation but allow the OS to continue operation. This reduces downtime when compared to a bug check for “non-fatal” but high-impact failures and hangs.
A Full live kernel memory dump contains active kernel memory, with optional inclusion of hypervisor memory and user-mode memory. The options to capture hypervisor and user pages are available for full live kernel dumps. Alternatively, a Kernel stacks memory dump is a smaller file, limited to kernel processor states and all kernel thread stacks.
Reference:
Task Manager Live Memory Dump - Windows drivers
This topic describes how to take a live kernel memory dump using task manger.
learn.microsoft.com
Kernel Live Dump Code Reference - Windows drivers
This section contains descriptions of the common kernel live dumps, and describes how they are different from traditional bug checks.
docs.microsoft.com
You must be signed in as an administrator to create a live kernel dump file.
Contents
- Option One: Create Live Kernel Dump File in Task Manager
- Option Two: Create Live Kernel Dump File in PowerShell
This option is only available starting with Windows 11 build 22621.1776.
1 Open Task Manager (Ctrl+Shift+Esc).
2 Perform the following actions: (see screenshot below)
- Click/tap on the Details tab.
- Right click on an empty area in Details.
- Click/tap on Create live kernel dump file.
- Click/tap on Full live kernel dump or Kernel stacks dump for which type of dump file you want to create.
3 You will now see a Dumping kernel dialog showing you the location of the dump file. You can click/tap on OK to close the dialog, or click/tap on Open file location to open File Explorer to the dump file's location. (see screenshot below)
The dumps will be written to a fixed location:
%LocalAppData%\Microsoft\Windows\TaskManager\LiveKernelDumps
1 Open Windows Terminal (Admin), and select Windows PowerShell.
2 Copy and paste the command below into PowerShell, and press Enter to get the StorageSubsystem friendly name. (see screenshot below step 3)
Get-StorageSubSystem3 Make note of the StorageSubsystem friendly name (ex: "Windows Storage on BrinkW11"). (see screenshot below)
4 Type the command below into PowerShell, and press Enter. (see screenshot below)
Get-StorageDiagnosticInfo -StorageSubSystemFriendlyName "<name>" -IncludeLiveDump -DestinationPath "$Env:userprofile\Desktop"Substitute <name> in the command above with the actual StorageSubsystem friendly name (ex: "Windows Storage on BrinkW11") from step 3.
Get-StorageDiagnosticInfo -StorageSubSystemFriendlyName "Windows Storage on BrinkW11" -IncludeLiveDump -DestinationPath "$Env:userprofile\Desktop"
5 A localhost folder will now be created on your desktop that includes the live kernel dump file. (see screenshot below)
That's it,
Shawn Brink
Last edited:
