Re: [Vol-users] procexedump Error: Cannot acquire process AS

Rob, Glad that you solved your problem. Just to clarify something, if PAE is enabled the DirectoryTableBase member of the _KPROCESS structure contains the physical address of the PDP which is aligned along 20h byte boundaries and not page boundaries. See e.g. PROCESS 85ba45e8 SessionId: 0 Cid: 090c Peb: 7ffd8000 ParentCid: 0228 DirBase: 7ef6c400 ObjectTable: 98a20180 HandleCount: 350. Image: svchost.exe 0: kd> dq /p /c2 7ef6c400 L4 7ef6c400 00000000`26f2e801 00000000`086bf801 7ef6c410 00000000`27100801 00000000`26d69801 The physical address cf3392c0h is aligned for a possible x86 PDP, except that it is within a physical address range that typically is reserved for use by the PCI bus (c0000000h-100000000h). However, some recent AMD systems have begun using some addresses above c0000000h for RAM physical addresses. So without knowing more about the design of the system and motherboard chipset I cannot say whether or not that is a valid PDP physical address (assuming that you have PAE enabled, which is typical for server systems). I suppose that you rebooted the system in between samples so that we cannot compare the DTB values from the two memory "dumps" directly? Regards, George. _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users