When Windows 11 crashes with a blue screen error, the system can save diagnostic information in a memory dump file. By default, Windows creates an automatic dump that may not contain all the data needed to analyze a specific bug check code. A full memory dump contains the entire contents of physical RAM at the moment of the crash. This article explains how to configure Windows 11 to capture a full memory dump for a specific bug check, such as CRITICAL_PROCESS_DIED or MEMORY_MANAGEMENT.
Full memory dumps are large files equal to the size of your system RAM. A system with 16 GB of RAM will produce a 16 GB dump file. You need enough free disk space on the system drive to store the file. The dump file is saved at %SystemRoot%\MEMORY.DMP by default. After capturing the dump, you can analyze it with tools like WinDbg to identify the driver or process that caused the crash.
This guide covers the registry and system settings required to force a full memory dump for a specific bug check. It also explains how to verify the dump was created and how to avoid common configuration mistakes.
Key Takeaways: Configuring Full Memory Dumps for Bug Check Analysis
- Registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl: Contains the CrashDumpEnabled and FilterPages values that control dump type and behavior.
- System Properties > Advanced > Startup and Recovery > Settings: The GUI method to set dump type to Complete memory dump and specify the dump file location.
- Verification with WMIC or PowerShell: Use the command “wmic RECOVEROS get DebugInfoType” or “Get-WmiObject Win32_OSRecoveryConfiguration” to confirm the current dump configuration.
Understanding Full Memory Dumps and Bug Check Targeting
A full memory dump writes the entire contents of physical memory to disk when a bug check occurs. This includes all kernel-mode and user-mode data, loaded drivers, and memory-mapped files. Unlike a kernel memory dump, which omits user-mode pages, or a small memory dump, which only records the stop code and stack, a full dump gives you complete forensic data for post-mortem debugging.
Windows 11 uses the CrashDumpEnabled registry value to determine the dump type. A value of 1 enables a full memory dump. A value of 2 enables a kernel dump. A value of 3 enables a small dump. The FilterPages value controls whether Windows excludes pages owned by processes that did not cause the crash. When FilterPages is set to 1, Windows filters out pages from processes unrelated to the bug check, reducing the dump size but losing data. For a true full dump containing all RAM, FilterPages must be set to 0.
Bug check codes are hexadecimal values such as 0x0000007B (INACCESSIBLE_BOOT_DEVICE) or 0x0000003B (SYSTEM_SERVICE_EXCEPTION). The dump file captures the state at the exact moment the bug check was raised. Targeting a specific bug check means you configure the system before the crash occurs. You cannot retroactively change the dump type after a crash.
Steps to Configure a Full Memory Dump for a Specific Bug Check
Follow these steps to set Windows 11 to capture a full memory dump. You need administrative privileges to modify system settings and the registry.
- Open System Properties
Press Windows + R to open the Run dialog. Type sysdm.cpl and press Enter. This opens the System Properties window. - Navigate to Startup and Recovery
Select the Advanced tab. Under Startup and Recovery, click Settings. - Set the dump type to Complete memory dump
In the Startup and Recovery dialog, locate the Write debugging information section. From the dropdown list, select Complete memory dump. Ensure the dump file path is set to %SystemRoot%\MEMORY.DMP. Click OK to close the dialog, then click OK to close System Properties. - Disable automatic memory dump overwrite via registry
Press Windows + R, type regedit, and press Enter. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl. In the right pane, locate the FilterPages DWORD value. If it does not exist, right-click an empty area, select New > DWORD (32-bit) Value, and name it FilterPages. Double-click FilterPages and set its value to 0. This ensures no pages are filtered from the dump. Click OK. - Configure the dump file size limit
In the same registry key, locate the DumpFileSizePercent DWORD value. If it does not exist, create it. Set its value to 100 to allow the dump file to use up to 100% of the system drive space. Click OK. Close Registry Editor. - Verify the configuration
Open Command Prompt as administrator. Type wmic RECOVEROS get DebugInfoType and press Enter. The output should display 1 for Complete memory dump. Alternatively, run Get-WmiObject Win32_OSRecoveryConfiguration | Select-Object DebugInfoType in PowerShell. The value should be 1. - Ensure sufficient disk space
Open File Explorer and check the free space on the drive where Windows is installed. The full memory dump requires free space equal to the size of your system RAM plus overhead. For 16 GB RAM, you need at least 18 GB free. Delete unnecessary files or move data to another drive if space is low.
Common Issues and Things to Avoid
The dump file is not created after a crash
This occurs when the system drive runs out of space before the dump is written. Windows does not create a partial dump. Check the free space on the drive. Also verify that the page file is large enough. Windows uses the page file as a temporary buffer for the dump. The page file must be at least as large as the system RAM plus 1 MB. To check, go to Settings > System > About > Advanced system settings > Performance > Advanced > Virtual memory. Ensure the initial and maximum size are set to a value equal to or greater than your RAM size.
The dump file is smaller than the system RAM
This happens when FilterPages is set to 1. Windows excludes pages from processes unrelated to the crash. To capture all RAM, set FilterPages to 0 as shown in Step 4 above. Also check that the dump type is Complete memory dump, not Kernel memory dump. Kernel dumps are typically much smaller than full RAM.
Boot failure after enabling full memory dump
A full memory dump setting alone does not cause boot failure. However, if the system drive is nearly full, Windows may fail to write the dump during a crash and then attempt recovery on the next boot. This can lead to a boot loop. Always ensure at least 20% free space on the system drive before enabling full dumps. If a boot loop occurs, boot into Safe Mode and change the dump type back to Automatic memory dump.
Full Memory Dump vs Automatic Memory Dump: Key Differences
| Item | Full Memory Dump | Automatic Memory Dump |
|---|---|---|
| Description | Captures the entire contents of physical RAM at the time of the crash | Selects the dump type based on the crash context; usually a kernel dump |
| File size | Equal to system RAM size | Approximately 30% to 50% of system RAM size |
| Kernel-mode data | All kernel-mode data is included | All kernel-mode data is included |
| User-mode data | All user-mode pages are included | Only user-mode pages for the crashing process are included |
| Disk space requirement | High; must equal RAM plus overhead | Moderate; typically 4-8 GB |
| Best use case | Debugging complex driver issues or memory corruption | General crash analysis for most users |
After configuring the full memory dump, trigger the specific bug check by reproducing the conditions that cause the crash. For example, if the bug check occurs when a specific USB device is connected, plug in that device and perform the actions that previously caused the crash. Windows writes the dump file to the specified path. You can then analyze it with WinDbg by loading the dump file and running the command !analyze -v to see the stop code, stack trace, and the driver or module that caused the crash. For ongoing monitoring, consider enabling the dump in a test environment before applying it to production systems. Use the DumpFileSizePercent registry value to cap the dump size if disk space is limited, but note that setting it below 100 may truncate the dump and lose critical data.