Geoff Chappell, Software Analyst
The SYSTEM_CRASH_DUMP_INFORMATION structure is is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemCrashDumpInformation (0x20). This information class is valid only in versions 3.50 to 5.0.
The SYSTEM_CRASH_DUMP_INFORMATION structure is not documented.
Its only known disclosure by Microsoft is in type information such as Microsoft nowadays includes with public symbol files. For this old structure, however, the type information is instead in two statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51 and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_CRASH_DUMP_INFORMATION is 4 bytes, originally, but is 8 bytes in version 5.0.
Offset | Definition | Versions | Remarks |
---|---|---|---|
0x00 |
HANDLE CrashDumpSection; |
3.50 to 5.0 | last member in 3.50 to 4.0 |
0x04 | unknown dword | 5.0 only |
If the kernel has created a section in anticipation of ever writing a crash dump file, then the CrashDumpSection is a new handle to that section (with SECTION_MAP_READ access). Otherwise, CrashDumpSection is NULL. (Perhaps as a coding error, failure to create a handle, which would be unusual and causes the query to fail, induces the kernel to forget that it has created the section.)
In version 5.0, the kernel must already have a dump control block else the query fails (returning STATUS_NOT_FOUND). The new member is then zero. Its purpose is unknown.