Re: [Vol-users] How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?
Todd A
10 Oct
2013
10 Oct
'13
11:06 a.m.
Hi Michael, thanks for getting back to me. I'll give plist a try, time
it and report back. The wndscan did eventually finish by the next morning.
On 10/7/2013 12:13 PM, Michael Hale Ligh wrote:
Todd,
For best speed, I would suggest running Volatility on a Linux or Mac
host machine. The first step in troubleshooting is to see if other
commands also take a long time. How long does plist take?
Thanks,
Michael
On Sun, Sep 15, 2013 at 7:17 PM, Todd A <starman617(a)gmail.com
<mailto:starman617@gmail.com>> wrote:
Hi List,
Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with
32GB of RAM.
I'm new to volatility and I'm attempting to use it to troubleshoot
apps that don't play nice with the Windows clipboard. I'm using
the steps here:
http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-C…
I changed my registry to force a complete memory dump by setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled
to be 1. (http://support.microsoft.com/kb/969028)
I used System Internal's NotMyFault tool with the /crash switch to
create the dump.
(https://code.google.com/p/volatility/wiki/CrashAddressSpace)
The resulting c:\windows\memory.dmp file is about 34GB in size.
When I launch volatility, this is as far as it gets:
C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
Volatile Systems Volatility Framework 2.2
It has been showing this for close to 3.75 hours. Task Manager
shows two instances of volatility-2.2.standalone.exe running, one
at a constant 1,144K RAM usage, and the other instance with RAM
usage constantly changing in the range of 58MB to 73MB, averaging
13% CPU utilization. To mean this indicates it is doing
/something/ even if it is caught in an infinite loop.
If it's reasonable for volatility to run this long and longer,
I'll just be patient, though it would be helpful if someone could
give me an idea of how long it might take.
If this is taking too long, what can I do to troubleshoot what
it's doing?
Kind regards,
Todd
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 4.8 KB)