Does Minidump dump contain the last file content from open editor?

Discussion in 'Windows 7 Blue Screen of Death (BSOD)' started by pstein, Aug 10, 2011.

  1. pstein

    pstein Honorable Member

    Mar 20, 2010
    Likes Received:
    Assume I work currently with MS Word and/or an text editor like wordpad.
    Then (suddenly) the system crashes with bluescreen.
    A Minidump is automatically created and saved in a Minidump file.

    After restart I am asked whether I want to send this minidump for further investigation to MS.

    Hmm, I wonder whether this Minidump file contains the full memory content.
    And if the memory content contains the current MS Word resp. current open file if editor.

    Both could contain sensitive business information which I don't want to pass outside.

    Is this the case?
    Does Minidump contain editor file contents?

  2. kemical

    kemical Windows Forum Admin
    Staff Member Premium Supporter Microsoft MVP

    Aug 28, 2007
    Likes Received:
    I very much doubt it. Why not post the dump and we/I will check it over to see the root cause.
  3. zigzag3143

    zigzag3143 Honorable Member
    Microsoft MVP

    Jun 2, 2009
    Likes Received:
    Even the verbose minidump only contains the memory addresses and what driver is using it. Since memory is dynamic there is no way but to capture it live as it is stored in memory. It will say (perhaps) that the active thread was MS Word and even that its drivers took up the memory addresses from xxxx to yyyy, but not the actual content of the memory registers.

    One way to verify that is to look at the size of the minidump. If you have small minidump checked in control panel it will be abt ~200Kb. If at the time of the crash you were using 2 gigs of RAM there is no way to store 2 gigs in 200K.

    There are other ways to verify it as well.

    Even law enforcement would have a really hard time getting that information
    #3 zigzag3143, Aug 10, 2011
    Last edited: Aug 10, 2011
    2 people like this.
  4. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Jul 22, 2005
    Likes Received:
    Windows Vista and above also use Address space layout randomization (ASLR) to randomize how memory is allocated for security purposes. Even if you could get the modules out on time, that would be difficult. Its not like you are always using the same memory space every time you launch a program, and even if you were, no one can get on your computer to access those allotted areas of memory any way. The practice of uploading minidumps is relatively secure and was designed for troubleshooting and debugging. It is similar to the way System Information (msinfo32) can be used to export a .NFO of your system without giving away important data like your license or registry keys. More robust applications that perform the same type of information output (AIDA64 comes to mind) will include stuff you may not want 3rd parties seeing if you're not careful. There was one instance where Windows XP keys were mass-searchable on Google because of an error in a software program that allowed you to put your system specs online. While the problem was fixed, search results were still very much present for a long time after, and with the perfect search string you could get these results, which included OEM and retail keys of various products installed on the system.

    Minidump files and NFO System Information dumps are relatively very secure to post online.

Share This Page