Memory Dumps from Xen-virtualized Windows

Suppose we got a kernel, complete or minidump from Windows running under Xen hypervisor. How would we distinguish it from a memory dump of Windows running on non-virtualized hardware? We can check machine id:

kd> !sysinfo machineid
Machine ID Information [From Smbios 2.4, DMIVersion 36, Size=348]
BiosMajorRelease = 3
BiosMinorRelease = 1
BiosVendor = Xen
BiosVersion = 3.1.0
SystemManufacturer = Xen
SystemProductName = HVM domU
SystemVersion = 3.1.0

and drivers:

kd> lm m *xen*
start end module name
f6012000 f605f000 dump_xenvbd (deferred)
f794b000 f795c000 xennet (deferred)
f82c0000 f830d000 xenvbd (deferred)
f845f000 f846b000 XENUTIL (deferred)
f84cf000 f84db000 dump_XENUTIL (deferred)

Note: similar information can be checked for VMWare and Virtual PC.

- Dmitry Vostokov @ DumpAnalysis.org -

2 Responses to “Memory Dumps from Xen-virtualized Windows”

  1. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 87) Says:

    […] Memory Dumps from Xen-virtualized Windows […]

  2. Crash Dump Analysis » Blog Archive » Memory Dumps from Hyper-V-virtualized Windows Says:

    […] is another addition to memory dumps coming VMWare, VirtualPC and Xen Server virtualized systems. Now I had a look at Hyper-V and found that this information could serve as an […]

Leave a Reply