This HCT kit will install a special pool tag enabled feature for Windows NT® 4.0 that will cause the system to halt if drivers are discovered that do not properly allocate memory. All systems should be connected to a debugger or use the crashdump feature of Windows NT® to determine the faulty driver. Fixes to the driver may be required before a submission can be made. See the information below to help identify the responsible driver.

System Setup for Crashdump

1. Verify that pagefile.sys exists on %SystemDrive% and that its file size is at least as big as the physical memory in your system (RAM). Also verify that there will be enough disk space on your system partition to write a memory.dmp file; expect this file size to be equal in size to the pagefile.sys file. See the troubleshooting crashdump section below for additional crashdump configuration and troubleshooting information.
2. Copy the batchfile at HCT\Docs\InitSym\crashSetup.bat from the HCT CD to your system's hard disk drive. Insert the SP5 CD and run the batchfile from a DOS window command line (you must provide the CD-ROM drive letter as the batchfile parameter). This will copy dumpchk.exe and dumpexam.exe into your %SystemRoot%\System32 directory and the NT 4.0 SP5 symbols into the %SystemRoot%\Symbols directory.
3. Enable Crashdump in the OS by going to Control Panel - System - Startup/Shutdown and then, in the Recovery section, checking the box next to "Write debugging information to:". The path should read %SystemRoot%\memory.dmp. You will be prompted to reboot your system for this setting to take effect.

Debugging Pool Tag Problems with Crashdump

If your system encounters a fatal system error (blue screen) while installing the HCT kit (during the reboot portion of HCT setup), please reinstall NT 4.0 with SP5 and proceed as follows:

NOTE: If you are using a third party driver for your boot SCSI controller, then you will not be able to recover the system from a fatal system error (via the procedure below) if the SCSI driver has caused the memory fault. In this case, do not proceed with the instructions below, but contact the appropriate driver vendor to debug the fault.

1. Setup your system to be able to Crashdump. See System Setup for Crashdump above for details on how to do this.
   
   
2. It is strongly recommended that after installing the NT 4.0 with SP5, you install only one third party driver (video, network, sound, ect) and then proceed with instructions below. This facilitates in the identification of the third party driver that has caused the memory fault (blue screen).
   
   
3. Proceed to install the HCT kit. If you are able to successfully install the HCT kit without reproducing a fatal system error, then you may assume that the last installed third party driver was not the cause of the memory fault; therefore, go back and repeat step 2. But, if your system encounters a fatal system error please verify that, at the bottom of the blue screen, there is a percentage counter indicating that the memory is being dumped to a pagefile. If you do not see this, then there may be a problem with Crashdump and you will not build a memory dump file when you boot back into the OS.
   
   
4. After the memory has been successfully written to the pagefile, reboot your system and use either another OS (on a dual boot system) or a DOS boot disk (if your boot partition uses a FAT) to boot from.
   
   
5. Proceed to find the third party device driver (in the original NT 4.0 %SystemRoot%\System32\Drivers directory) that you suspect may be the cause for the memory fault and rename the driver file (eg. driverName.sys to driverName.sav).
   
   
6. Reboot the system and see if the NT 4.0 boots. If you encounter a fatal system error again, repeat steps 4 and 5 until you successfully identify and rename the third party driver that is causing the memory fault.
   
   
7. Once your system is able to boot NT 4.0 (after renaming the appropriate driver at fault), proceed to open a DOS window. Be certain that the memory.dmp file has stopped growing before proceeding. At the prompt, run 'dumpchk -v %SystemRoot%\memory.dmp' to verify that that the dump file looks correct (the last line of output should read "This dump file is good!"). See hct\docs\InitSym\dumpchk.txt for an example of a good dumpchk output. Then run 'dumpexam -v -y %SystemRoot%\Symbols' to generate a memory.txt file in the %SystemRoot% directory. See hct\docs\InitSym\memory.txt for what a good memory file should look like. The memory.txt file will provide some useful information on the memory fault and can be e-mailed to the appropriate support group to relay the nature of the problem.
   

If your NT 4.0 SP6 system exhibits a fatal system error when there are no third party drivers installed, inspect the blue screen on your system and refer to the Blue Screen Example below for help on interpreting the useful information on the blue screen.

Blue Screen Example

Below is a typical fatal system error (aka blue screen). The following is actually useful in identifying most of the problems:

1. The error code and the four parameters (hexadecimal numbers) at the top of the screen,
2. Note what modules are on the stack at the bottom of the screen
3. If Crashdump was enabled in the OS, you will see at the very bottom of the screen that the memory was dumped.

In the example of the blue screen below, you would report a bugcheck A in NDIS.SYS and LANCE.SYS on build 1381. The four parameters for the bugcheck were 0,1a, 0, and 0. It would be worth mentioning that a Crashdump file was created and a debugger is attached (as shown by the DSR + CTS indicators in the upper right corner). The dll bases and time stamps are NOT necessary.

DSR CTS
*** STOP: 0x0000000A (0x00000000,0x0000001a,0x00000000,0x00000000)
IRQL_NOT_LESS_OR_EQUAL

p4-0300 irql:1f SYSVER:0xf000030e

Dll Base DateStmp - Name 80100000 2e53fe55 - ntoskrnl.exe 80010000 2e41884b - Aha154x.sys 8001b000 2e4e7b6b - Scsidisk.sys fe420000 2e406607 - Floppy.SYS fe440000 2e406659 - Fs_Rec.SYS fe460000 2e4065f4 - Beep.SYS fe480000 2e42a4a4 - i8042prt.SYS fe4a0000 2e40660c - Kbdclass.SYS fe4b0000 2e53d49d - ati.SYS fe4e0000 2e406655 - Msfs.SYS fe510000 2e53f222 - NDIS.SYS fe550000 2e406697 - TDI.SYS fe560000 2e5279d9 - nwlnkipx.sys fe580000 2e494973 - tcpip.sys fe5b0000 2e5279d3 - netbt.sys fe5e0000 2e4066b3 - mup.sys fe630000 2e53f24a - srv.sys

Dll Base DateStmp - Name 80400000 2e53eba6 - hal.dll 80013000 2e4bc29a - SCSIPORT.SYS 80220000 2e53f238 - Ntfs.sys fe430000 2e406618 - Scsicdrm.SYS fe450000 2e40660f - Null.SYS fe470000 2e406634 - Sermouse.SYS fe490000 2e40660d - Mouclass.SYS fe4c0000 2e4065e2 - VIDEOPRT.SYS fe4d0000 2e4065e8 - vga.sys fe4f0000 2e414f30 - Npfs.SYS fe500000 2e40719b - lance.sys fe530000 2e47c740 - nbf.sys fe570000 2e53a89e - nwlnknb.sys fe5a0000 2e5256b8 - afd.sys fe5d0000 2e4167f7 - netbios.sys fe5f0000 2e4f9f51 - rdr.sys fe660000 2e516062 - nwlnkspx.sys

Address dword dump Build [1381] - Name
ff541e4c fe5105df fe5105df 00000001 ff640128 fe4a8228 000002fe - NDIS.SYS
ff541e60 fe501368 fe501368 00000246 00004002 00000000 00000000 - lance.sys
ff541eb4 fe481509 fe481509 ff6688c8 ff668288 00000000 ff668138 - i8042prt.SYS
ff541ee0 fe481ea8 fe481ea8 fe482078 00000000 ff541f04 8013c58a - i8042prt.SYS
ff541ee4 fe482078 fe482078 00000000 ff541f04 8013c58a ff6688c8 - i8042prt.sys
ff541ef0 8013c58a 8013c58a ff6688c8 ff668040 80405900 00000031 - ntoskrnl.exe
ff541efc 80405900 80405900 00000031 06060606 06060606 06060606 - hal.dll

Beginning dump of physical memory
Dumping physical memory to disk: 100
Physical memory dump complete

Troubleshooting Crashdump

When you setup your system up for recovery in the event a Stop error occurs a second pagefile may be created. If your pagefile is not located on the %SYSTEMROOT% partition you will receive the following message:

In order to create a debugging information file, the initial
pagefile size on volume "drive letter" must be at least
"amount of disk space" megabytes. The initial pagefile size
will be changed now.

The amount of disk space requested will be approximately equal to the amount of physical memory you have on the system plus 1MB. If there is not enough disk space available on the %SYSTEMROOT% partition you will receive the following message:

There is not enough free space on the boot drive to enable
crash recovery. At least "amount of disk space" megabytes
of free space on drive "drive letter" are needed. Please
free up some disk space and try again.

When the pagefile is not initially located on the %SYSTEMROOT% partition, a pagefile is created on the %SYSTEMROOT% to reserve adequate disk space for the dump file if a Stop error occurs. This is done to ensure the creation of the dump file.

This also eliminates the problem of the Memory.dmp file not being created if the paging file is not located on the %SYSTEMROOT% directory as noted in the following knowledge base article:

Although you can change the path for the location of the dump file using Control Panel, Windows NT® always writes the debugging information to the pagefile on the %SYSTEMROOT% partition first, and then moves the dump file to the path specified.

If Windows NT® Does Not Save Memory Dump File After a Crash

You can configure Windows NT® to dump system memory to a file called Memory.dmp when a severe error (called a STOP error or fatal system error) occurs. This log file can be valuable for debugging the cause of the STOP error.

NOTE: Before troubleshooting the problem, ensure that the computer is properly configured to save a crash dump file. For more information, see Chapter 5 of your Windows NT® Workstation or Windows NT® Server "System Guide."

The following are several reasons why the Memory.dmp file is not being created when your computer encounters a STOP message:

1. The Memory.dmp file already exists and the option Overwrite Any Existing File (found in Control Panel System) is not selected. It is a good idea to leave this box checked and to move or copy the current Memory.dmp file.

2. The paging file on the system drive is not large enough. To use the Write Debugging Information To feature, the paging file on the system drive must be large enough to hold all of physical RAM plus 1 megabyte.

3. The paging file is not on the system root partition. When the STOP error occurs, the system crash dump is written out to the pagefile on the root of the system drive (the drive of the %SYSTEMROOT% directory).

4. There is not room for the Memory.dmp file in the path specified in Control Panel for writing the memory dump.

5. It is possible that the SCSI controller is bad or the system crash is caused by a bad SCSI controller board.

6. Certain computers and SCSI controllers do not permit the crash dump information to be created. To determine if more information is available, query on the following words in the Microsoft Knowledge Base:

         <your computer model> and Memory.dmp