In some advanced troubleshooting cases, Fortinet TAC may request a ‘complete’ or ‘full’ memory dump from a Windows machine in order to analyze its contents in memory.

This is very valuable for troubleshooting failures in a Collector such as drivers or other kernel-level activities.

In order to gather this memory dump, the system must be forcefully crashed. A common and trusted tool is Microsoft’s NotMyFault.

NotMyFault can forcefully trigger system crashes, cause hang events and kernel memory leaks.

The scope of this article covers system crashes only.

NotMyFault can be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault.

It will contain a total of four executables, two of which are for 32-bit and 64-bit versions of Windows, one command line version and one for Windows Nano server.

Most commonly ‘notmyfault64.exe’ will be used.

The steps to run this tool are straightforward and outlined below:

1) Ensure that complete memory dump retention is configured for the system:

- Open the Windows menu, search for 'My Computer' and right-click on the result to choose Properties.

- Search for Advanced System Settings - > Advanced - > Startup and Recovery Settings - > Write debugging information.

- Select 'Complete Memory Dump' and leave the output file location as %SystemRoot%\MEMORY.DMP.

2) Open the NotMyFault executable for the system as administrator. NotMyFault requires administrative privileges to run.

3) Now select the Crash heading and High IRQL fault (kernel-mode).

4) Lastly, select Crash. The system will now crash, present an error message and reboot. This may take longer than a normal start up so be patient.

5) Once the system reboots, open File Explorer and navigate to %SystemRoot%\. A file named ‘MEMORY.DMP’ will be found which will need to be provided to Fortinet TAC for analysis.