Sams Teach Yourself MCSE Windows NT Server 4 in 14 Days
(Publisher: Macmillan Computer Publishing)
Author(s): David Schaer, et al
ISBN: 0672311283
Publication Date: 12/15/97

The first option clearly is obvious. However, the second and third options do not overwrite or clear the logs if they become full (reach their maximum size). If this should happen, a message appears on the screen that the event log is full. After this happens, you must clear the log events or you will continue to get this message as events attempt to write to the event log.

To clear the log file, click Log from the menu and select Clear all log events. This clears only the events to the log file that is currently being viewed. You then are prompted as to whether you want to save the current log events before you clear them.

All log information, if you do not save it, is irrecoverable after you clear the log.

You can archive event logs by saving them. You can save the log files by choosing the option you are given when you clear them or when you click Save As from the Log menu. Each log (whether system, application, or security) saves separately and must be the one you currently are viewing for you to save it. The following are three basic formats in which you can save log files:

•  EVT files that allow for future viewing in the Event Viewer

•  Basic text (TXT) files

•  Comma-delimited files that you can use in other applications, such as spreadsheets or flat file databases

14.6. Memory Dumps

When a severe error (also known as a fatal error) occurs, it causes Windows NT to stop all processes and requires you to restart the computer. You can configure Windows NT to do different things if one of these unfortunate events occurs.

14.6.1. Capturing Memory Dumps

From the Control Panel, select the System applet. On the Startup/Shutdown tab, you will see two basic sections (see Figure 14.6), System Startup and Recovery. The upper portion, System Startup, enables you to set which operating system automatically starts at system bootup. You also can set the wait time of the startup menu.

In the lower half of the Startup/Shutdown tab you see Recovery options. Which of these options is selected depends on a Stop error event. The first two options are fairly basic. The third option, Write debugging information to, enables you to write whatever information that currently is loaded in memory to a file on the hard disk when the error occurs. This commonly is referred to as a memory dump. The last option automatically reboots the server when the Stop error event occurs. If you select the memory dump option, the server will not reboot until all information loaded in memory is dumped to the hard disk. The default location for the memory dump file is in the Windows NT root directory with a file name of MEMORY.DMP.

Figure 14.6.  From the Startup/Shutdown tab of the System applet in the Control Panel, you can configure automatic recovery options.

Because it dumps the entire contents of the memory onto the hard disk, there must be sufficient free disk space to receive the information. In other words, if you have 64MB of RAM installed on the server, a 64MB file is written in the event of a Stop error. If you do not have enough disk space for the file, you might lose information. Additionally, you must have a paging file on the computer’s system partition that is equal to or larger than the amount of RAM that you have installed.

14.6.2. Dump Utilities

After you create this MEMORY.DMP file, you can use it in several ways to debug the problem that caused the Stop error. To do so, there are three command-line utilities on the Windows NT Server and Windows NT Workstation CD-ROMs. They are located in the support\debug directory. Of course, if you have Windows NT installed on a different platform, you should use the subdirectory that corresponds with your platform. For example, because I have Windows NT installed on an Intel-based machine, I use the support\debug\i386 directory.

You can use the first utility, dumpflop, to write the memory dumpinformation to floppy disks. This can be handy if you must send the information to someone else for analysis. The information is compressed and spanned across several disks.

The correct syntax when you run the dumpflop command is

DUMPFLOP [opts] <CrashDumpFile> [<Drive>:]

The following line is an example of the application of this syntax:

DUMPFLOP –q c:\winnt\memory.dmp a:

There are a few command-line switches that you can use with dumpflop. Table 14.3 shows the available switches for dumpflop.

After the persons who will debug the information receive the floppies, you retrieve the memory dump by running the dumpflop utility. However, the syntax here is slightly different. The syntax is

DUMPFLOP [opts] <Drive>: [<CrashDumpFile>]