Decoding Windows Minidump Files: Inside the Crash Dump Structure

Most developers know that when a Windows program crashes you can generate a .dmp file and use it to locate the exact line of code that caused the crash.

But what information does a .dmp actually contain and how does it enable pinpointing the failure?

Below is an overview of the minidump structure, starting with the header.

typedef struct _MINIDUMP_HEADER {
  ULONG32 Signature;
  ULONG32 Version;
  ULONG32 NumberOfStreams;
  RVA      StreamDirectoryRva;
  ULONG32 CheckSum;
  union {
    ULONG32 Reserved;
    ULONG32 TimeDateStamp;
  };
  ULONG64 Flags;
} MINIDUMP_HEADER, *PMINIDUMP_HEADER;

The header acts as a guide, indicating the number of streams and their offsets within the file.

A minidump contains many streams; each stream stores a specific type of information. The full list of stream types is documented by Microsoft.

ThreadListStream

ModuleListStream

ExceptionStream

SystemInfoStream

MiscInfoStream

Details of the most useful streams are shown below.

ThreadListStream

typedef struct _MINIDUMP_THREAD {
  ULONG32 ThreadId;
  ULONG32 SuspendCount;
  ULONG32 PriorityClass;
  ULONG32 Priority;
  ULONG64 Teb;
  MINIDUMP_MEMORY_DESCRIPTOR Stack;
  MINIDUMP_LOCATION_DESCRIPTOR ThreadContext;
} MINIDUMP_THREAD, *PMINIDUMP_THREAD;

This stream provides ThreadId, priority, and stack information, helping you see how many threads existed at the crash moment.

ModuleListStream

typedef struct _MINIDUMP_MODULE {
  ULONG64 BaseOfImage;
  ULONG32 SizeOfImage;
  ULONG32 CheckSum;
  ULONG32 TimeDateStamp;
  RVA     ModuleNameRva;
  VS_FIXEDFILEINFO VersionInfo;
  MINIDUMP_LOCATION_DESCRIPTOR CvRecord;
  MINIDUMP_LOCATION_DESCRIPTOR MiscRecord;
  ULONG64 Reserved0;
  ULONG64 Reserved1;
} MINIDUMP_MODULE, *PMINIDUMP_MODULE;

It lists all PE modules loaded by the crashed process, including IDs, version info, and symbol data needed to match DLLs with their PDB files.

ExceptionStream

typedef struct _MINIDUMP_EXCEPTION {
  ULONG32 ExceptionCode;
  ULONG32 ExceptionFlags;
  ULONG64 ExceptionRecord;
  ULONG64 ExceptionAddress;
  ULONG32 NumberParameters;
  ULONG32 __unusedAlignment;
  ULONG64 ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} MINIDUMP_EXCEPTION, *PMINIDUMP_EXCEPTION;

typedef struct _MINIDUMP_EXCEPTION_INFORMATION {
  DWORD ThreadId;
  PEXCEPTION_POINTERS ExceptionPointers;
  BOOL ClientPointers;
} MINIDUMP_EXCEPTION_INFORMATION, *PMINIDUMP_EXCEPTION_INFORMATION;

This stream contains the ID of the crashing thread, the exception code, address, and parameters, allowing the debugger to reconstruct the call stack and locate the offending line.

SystemInfoStream

typedef struct _MINIDUMP_SYSTEM_INFO {
  USHORT ProcessorArchitecture;
  USHORT ProcessorLevel;
  USHORT ProcessorRevision;
  union {
    USHORT Reserved0;
    struct {
      UCHAR NumberOfProcessors;
      UCHAR ProductType;
    };
  };
  ULONG32 MajorVersion;
  ULONG32 MinorVersion;
  ULONG32 BuildNumber;
  ULONG32 PlatformId;
  RVA CSDVersionRva;
  union {
    ULONG32 Reserved1;
    struct {
      USHORT SuiteMask;
      USHORT Reserved2;
    };
  };
  CPU_INFORMATION Cpu;
} MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO;

Describes the system environment of the crashed process, such as OS version and CPU architecture.

MiscInfoStream

typedef struct _MINIDUMP_MISC_INFO {
  ULONG32 SizeOfInfo;
  ULONG32 Flags1;
  ULONG32 ProcessId;
  ULONG32 ProcessCreateTime;
  ULONG32 ProcessUserTime;
  ULONG32 ProcessKernelTime;
} MINIDUMP_MISC_INFO, *PMINIDUMP_MISC_INFO;

Provides process‑level details like ProcessId and creation time; together with the timestamp in the header you can calculate the program’s uptime.

The header also includes a timestamp indicating when the dump was created.

Additional streams such as MemoryInfoStream contain memory and disk usage details at the crash moment; a screenshot of this stream is shown below.

The overall dump layout is illustrated in the following diagram (original high‑resolution image available on request).

For more information see the official Windows Minidump API documentation and the referenced articles.