Default |
REG_SZ |
0x0 |
||
AutoReboot |
REG_DWORD |
0x0 |
Disabled |
|
0x1 |
Enabled |
Default |
||
CrashDumpEnabled |
REG_DWORD |
0x0 |
No info recorded |
|
0x1 |
Complete dump |
(pagefile = RAM + 1mB) Also used for Active Memory Dump (w/FilterPages key set = 1) http://blogs.msdn.com/b/clustering/archive/2015/05/18/10615526.aspx |
||
0x2 |
Kernel dump |
|||
0x3 |
Small (Mini) dump |
|||
0x7 |
Automatic memory
dump |
New in Win8:
http://blogs.technet.com/b/askcore/archive/2012/09/12/windows-8-and-windows-server-2012-automatic-memory-dump.aspx Generates HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\LastCrashTime for 4 weeks after a crash. |
||
Overwrite |
REG_DWORD |
0x0 |
Do Not Overwrite |
Only for Complete
or Kernel dumps |
0x1 |
Overwrite |
|||
LogEvent |
REG_DWORD |
0x0 |
Disabled |
|
0x1 |
Enabled |
Default |
||
MinidumpsCount |
REG_DWORD |
0x32 |
equals 50 in decimal |
|
DumpFile |
REG_EXPAND_SZ |
%SystemRoot%\MEMORY.dmp |
Default - switch location if using Dedicated Dump File options |
|
MinidumpDir |
REG_EXPAND_SZ |
C:\Windows\Minidump |
Default |
|
DumpFilters |
REG_MULTI_SZ |
dumpfve.sys |
Default on my system |
|
AlwaysKeepMemoryDump |
REG_DWORD |
0x0 | Disabled |
|
0x1 |
Enabled |
Keeps dump even if
less than 25
gB free |
||
SendAlert |
REG_DWORD |
0x0 |
Off |
|
0x1 |
On |
Default |
||
SmallDumpDirectory |
REG_EXPAND_SZ |
%SystemRoot%\Minidump |
??? uncertain if this
is the
MinidumpDir entry or not. Unable to locate on my system. |
|
FilterPages |
REG_DWORD |
0x0 0x1 |
?Complete Dump Active Dump |
Must either been done using the GUI, or manually entered. Will not be present unless this is done http://blogs.msdn.com/b/clustering/archive/2015/05/18/10615526.aspx |
DedicatedDumpFile |
REG_SZ |
--- |
path and filename
for dedicated
dump file location |
for Vista/Server
2008 |
DumpFileSize |
REG_DWORD |
--- |
Use decimal for
size entry |
for Vista/Server
2008 |
Don't forget to
update DumpFile
entry above |
Unknown entry |
Unknown entry | Unknown entry | Unknown rntry |
CrashOnCtrlScroll |
REG_DWORD |
0x1 |
USB Keyboard crash
w/Ctrl/Scroll Lock/Scroll Lock |
CrashOnCtrlScroll |
REG_DWORD |
0x1 |
PS2 Keyboard crash
w/Ctrl/Scroll Lock/Scroll Lock |
PagingFiles |
REG_MULTI_SZ |
Page files location (see examples below) |
ExisitingPageFiles |
REG_MULTI_SZ |
Page files location (see examples below) |
PagingFiles |
REG_MULTI_SZ |
?:\pagefile.sys |
ExisitingPageFiles |
REG_MULTI_SZ |
\??\C:\pagefile.sys |
VerifyDrivers |
REG_SZ |
*.sys |
(example
for verifying all drivers) Individual drivers listed like
this: ksbus64.sys ksprt64.sys scsiport.sys (again,
from my
registry) |
VerifyDriverLevel |
REG_DWORD |
0x1 |
See http://support.
microsoft.com/kb/244617 Tries to satisfy all allocations from
special pool. |
0x2 |
See
http://support. microsoft.com/kb/244617 Applies memory
pressure
to driver to vlidate IRQL usage about accessing pageable code and data. |
||
0x3 |
Default if key not
present, or you don't specify level of driver verification. |
||
0x4 |
See
http://support.microsoft.com/kb/244617 Randomly fails various
pool allocation requests.
This action is only performed after the system has started and reached
a point where the problem can be treated as reasonable situations that
must be handled. |
||
0x8 |
See
http://support.microsoft.com/kb/244617 Enable pool allocation
tracking. Every allocation
must be freed before the driver unloads or the system performs a bug
check. |
||
0x10 |
See
http://support.microsoft.com/kb/244617 Enable I/O verifier |
||
0x1B |
Default using
Preferred settings in Verifier utility |
||
0xB |
See
http://support.microsoft.com/kb/244617 To track memory leaks,
try a value of 0xB. This
value is most easily obtained by clicking to select the preferred
setting check box and clicking to clear the I/O verification check
box. |
TempDestination |
REG_DWORD |
0 |
No temp
destination. Pagefile renamed directly to final name of
DumpFile. |
1 |
Temporary dump file
location (I presume this from the previous entry) |
||
FinalDumpFileLocation |
Likely REG_MULTI_SZ |
Werfault writes
name to this location. |
|
DumpFile |
Likely REG_MULTI_SZ |
Temporary dump file name stored here (by winlogon.exe/savedump.exe) | |
BootStatus |
Unknown data
content, found in Process Monitor when falsifying the MachineCrash Key |
ProductPolicy |
REG_BINARY |
A cached copy of the data inside tokens.dat which specifies Windows editions and the features that they favor. | |
ProductSuite |
REG_MULTI_SZ |
Terminal
Server |
Unknown
values. This is the value from my Win7 SP1 64 bit system. |
ProductType |
REG_SZ |
WinNT |
Client |
LanmanNT
|
Server (Domain
Controller) |
||
ServerNT |
Server (Server only) |
Name |
Type |
Data |
Default |
REG_SZ |
mnmsrvc |
Debug |
REG_EXPAND_SZ |
|
Kmode |
REG_EXPAND_SZ | \SystemRoot\System32\win32k.sys |
Optional |
REG_MULTI_SZ |
posix |
Posix |
REG_EXPAND_SZ | %SystemRoot%\system32\psxss.exe |
Required |
REG_MULTI_SZ |
Debug Windows |
Windows |
REG_EXPAND_SZ | %SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4
ProfileControl=Off MaxRequestThreads=16 |
Name |
Type |
Data |
|
Start |
REG_DWORD |
0
(SERVICE_BOOT_START) |
Winload
preloads the driver so that it is in memory during the boot.
These drivers are initialized just prior to SERVICE_SYSTEM_START
drivers. |
1
(SERVICE_SYSTEM_START) |
The driver loads
and initializes during kernel initialization after SERVICE_BOOT_START
drivers have initialized. |
||
2
(SERVICE_AUTO_START) |
The SCM starts the
driver or service after the SCM process, Services.exe, starts. |
||
3
(SERVICE_DEMAND_START) |
The SCM starts the
driver or service on demand. |
||
4 (SERVICE_DISABLED) |
The driver or
service doesn't load or initialize. |
||
ErrorControl |
REG_DWORD |
0
(SERVICE_ERROR_IGNORE) |
Any error the
driver or service returns is ignored, and no warning is logged or
displayed. |
1
(SERVICE_ERROR_NORMAL) |
If the driver or
service reports an error, an event log message is written. |
||
2
(SERVICE_ERROR_SEVERE) |
If the driver or
service returns
an error and Last Known Good isn't being used, reboot into Last Known
Good; otherwise, continue the boot. |
||
3
(SERVICE_ERROR_CRITICAL) |
If the driver or
service returns
an error and Last Known Good isn't being used, reboot into Last Known
Good; otherwise, stop the boot with a blue
screen crash. |
||
Type |
REG_DWORD |
1
(SERVICE_KERNEL_DRIVER) |
Device driver |
2
(SERVICE_FILE_SYSTEM_DRIVER) |
Kernel-mode file
system driver |
||
4 (SERVICE_ADAPTER) |
Obsolete |
||
8
(SERVICE_RECOGNIZER_DRIVER) |
File system
recognizer driver |
||
16
(SERVICE_WIN32_OWN_PROCESS) |
The service runs in
a process that hosts only one service. |
||
32
(SERVICE_WIN32_SHARE_PROCESS) |
The service runs in
a process that hosts multiple services. |
||
256
(SERVICE_INTERACTIVE_PROCESS) |
The service is
allowed to
display windows on the console and receive user input, but only on the
console session (0) to prevent interacting with user/console
applications on other sessions. |
||
Group |
REG_SZ |
Group name |
The driver or
service initializes when it's group is initialized |
Tag |
REG_DWORD |
Tag number |
The specified
location in a group initialization order. This parameter
doesn't apply to services. |
ImagePath |
REG_EXPAND_SZ |
Path to the service
or driver executable file |
If
ImagePath isn't specified, the I/O manager looks for drivers in
%SystemRoot%\System32\Drivers. Required for Windows services. |
DependOnGroup |
REG_MULTI_SZ |
Group name |
The driver or
service won't load unless a driver or service from the specified group
loads. |
DependOnService |
REG_MULTI_SZ |
Service name |
The service won't
load until
after the specified service loads. This parameter doesn't
apply
to device drivers other than those with a start type of
SERVICE_AUTO_START or SERVICE_DEMAND_START. |
ObjectName |
REG_SZ |
Usually
LocalSystem, but it can be an account name, such as .\Administrator |
Specifies the
account in which
the serfvice will run. If ObjectName isn't specified,
LocalSystem
is the account used. This parameter doesn't apply to device
drivers. |
DisplayName |
REG_SZ |
Name of the service |
The service
application shows
services by this name. If no name is specified, the name of
the
service's registry key becomes it's name. |
Description |
REG_SZ |
Description of
service |
Up to 32767-byte
description of the service. |
FailureActions |
REG_BINARY |
Description of
actions the SCM should take when the service process exits unexpectedly |
Failure actions
include
restarting the service process, rebooting the system, and running a
specified program. This value doesn't apply to drivers. |
FailureCommand |
REG_SZ |
Program command line |
The SCM reads this
value only if
FailureActions specifies that a program should execute upon service
failure. This value doesn't apply to drivers. |
DelayedAutoStart |
REG_DWORD |
0 (True) |
Tells the SCM to
start this
service after a certain delay has passed since the SCM was
started. This reduces the number of services starting
simultaneously during startup. |
1 (False) |
|||
PreshutdownTimeout |
REG_DWORD |
Timeout in
milliseconds |
This value allows
services to
override the default preshutdown notification timeout of 180
seconds. After this timeout, the SCM will perform shutdown
actions on the service if it has not yet responded. |
ServiceSidType |
REG_DWORD |
0
(SERVICE_SID_TYPE_NONE) |
Backward-compatibility
setting. |
1
(SERVICE_SID_TYPE_UNRESTRICTED |
The SCM will add
the service SID as a group owner to the service process' token when it
is created. |
||
3
(SERVICE_SID_TYPE_RESTRICTED |
Same as above, but
the SCM will
also add the service SID to the restricted SID list of the service
process, along with the world, logon, and write-restricted SID's. |
||
RequiredPrivileges |
REG_MULTI_SZ |
List of privileges |
This value contains
the list of
privileges that the service requires to function. The SCM
will
compute their union when creating the token for the shared process
related to this service, if any. |
Security |
REG_BINARY |
Security Descriptor |
This value contains
the optional
security descriptor that defines who has what access to the service
object created internally by the SCM. If this value is
omitted,
the SCM applies a default security descriptor. I have only seen this key in the
Security sub-key of a driver or service. |