Decoding Windows Minidump Files: Structures, Streams, and Debugging Insights

What a Minidump Is

When a Windows program crashes, developers can generate a minidump (dmp) file via API calls or the system. The dmp contains a snapshot of the process state that can be used to locate the exact line of code that caused the crash.

Minidump Header

The file starts with a MINIDUMP_HEADER structure that points to a directory of streams.

typedef struct _MINIDUMP_HEADER {
  ULONG32 Signature;
  ULONG32 Version;
  ULONG32 NumberOfStreams;
  RVA     StreamDirectoryRva;
  ULONG32 CheckSum;
  union { ULONG32 Reserved; ULONG32 TimeDateStamp; };
  ULONG64 Flags;
} MINIDUMP_HEADER, *PMINIDUMP_HEADER;

The TimeDateStamp field records when the dump was created, which can be compared with the process creation time from other streams to calculate the program's uptime.

Stream Types

Each stream stores a specific kind of information. The full list is defined by the MINIDUMP_STREAM_TYPE enum (see Microsoft documentation). The most relevant streams for crash analysis are:

ThreadListStream

ModuleListStream

ExceptionStream

SystemInfoStream

MiscInfoStream

ThreadListStream

Contains information about every thread in the process at the time of the crash.

typedef struct _MINIDUMP_THREAD {
  ULONG32 ThreadId;
  ULONG32 SuspendCount;
  ULONG32 PriorityClass;
  ULONG32 Priority;
  ULONG64 Teb;
  MINIDUMP_MEMORY_DESCRIPTOR Stack;
  MINIDUMP_LOCATION_DESCRIPTOR ThreadContext;
} MINIDUMP_THREAD, *PMINIDUMP_THREAD;

Fields such as ThreadId, Priority, and Stack help determine how many threads were running and which one crashed.

ModuleListStream

Lists all PE modules (DLLs and EXEs) loaded by the process, together with version and symbol information.

typedef struct _MINIDUMP_MODULE {
  ULONG64 BaseOfImage;
  ULONG32 SizeOfImage;
  ULONG32 CheckSum;
  ULONG32 TimeDateStamp;
  RVA     ModuleNameRva;
  VS_FIXEDFILEINFO VersionInfo;
  MINIDUMP_LOCATION_DESCRIPTOR CvRecord;
  MINIDUMP_LOCATION_DESCRIPTOR MiscRecord;
  ULONG64 Reserved0;
  ULONG64 Reserved1;
} MINIDUMP_MODULE, *PMINIDUMP_MODULE;

This stream is crucial for matching loaded DLLs to their corresponding PDB symbol files during debugging.

ExceptionStream

Describes the exception that caused the crash, including the faulting address and exception code.

typedef struct _MINIDUMP_EXCEPTION {
  ULONG32 ExceptionCode;
  ULONG32 ExceptionFlags;
  ULONG64 ExceptionRecord;
  ULONG64 ExceptionAddress;
  ULONG32 NumberParameters;
  ULONG32 __unusedAlignment;
  ULONG64 ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} MINIDUMP_EXCEPTION, *PMINIDUMP_EXCEPTION;

typedef struct _MINIDUMP_EXCEPTION_INFORMATION {
  DWORD ThreadId;
  PEXCEPTION_POINTERS ExceptionPointers;
  BOOL ClientPointers;
} MINIDUMP_EXCEPTION_INFORMATION, *PMINIDUMP_EXCEPTION_INFORMATION;

Using the ExceptionAddress together with symbol information from the ModuleListStream yields a full call stack with file names, line numbers, and function names.

SystemInfoStream

Provides details about the operating system and CPU where the crash occurred.

typedef struct _MINIDUMP_SYSTEM_INFO {
  USHORT ProcessorArchitecture;
  USHORT ProcessorLevel;
  USHORT ProcessorRevision;
  union {
    USHORT Reserved0;
    struct { UCHAR NumberOfProcessors; UCHAR ProductType; };
  };
  ULONG32 MajorVersion;
  ULONG32 MinorVersion;
  ULONG32 BuildNumber;
  ULONG32 PlatformId;
  RVA CSDVersionRva;
  union {
    ULONG32 Reserved1;
    struct { USHORT SuiteMask; USHORT Reserved2; };
  };
  CPU_INFORMATION Cpu;
} MINIDUMP_SYSTEM_INFO, *PMINIDUMP_SYSTEM_INFO;

This stream tells you the Windows version, build number, and CPU architecture, which can be essential when reproducing the crash on a different machine.

MiscInfoStream

Contains miscellaneous process information such as process ID and timestamps.

typedef struct _MINIDUMP_MISC_INFO {
  ULONG32 SizeOfInfo;
  ULONG32 Flags1;
  ULONG32 ProcessId;
  ULONG32 ProcessCreateTime;
  ULONG32 ProcessUserTime;
  ULONG32 ProcessKernelTime;
} MINIDUMP_MISC_INFO, *PMINIDUMP_MISC_INFO;

Combined with the header timestamp, you can compute how long the process had been running before it crashed.

Other Useful Streams

Although not covered in depth, streams like MemoryInfoStream provide detailed memory and disk usage at crash time, which can help diagnose out‑of‑memory conditions.

Visual Overview

The following images illustrate the overall layout of a minidump file and an example of the MemoryInfoStream content.

References

Microsoft Minidump API documentation: https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/

Minidump format description: https://formats.kaitai.io/windows_minidump/index.html

PDB format and matching: https://www.debuginfo.com/articles/debuginfomatch.html#pdbfiles

Breakpad stack walking guide: https://chromium.googlesource.com/breakpad/breakpad/+/master/docs/stack_walking.md