Re: [Vol-users] procexedump Error: Cannot acquire process AS
29 Oct
2012
29 Oct
'12
7:44 p.m.
This means that the DTB (page directory) for the process doesn't appear
valid, which is typically because the process has exited (although the
_EPROCESS structure itself may still exist, its page tables can be
corrupt). Can you check the exit time for this process with pslist or
psscan?
MHL
On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>wrote:
Have never seen this error when trying to dump a
process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 1.4 KB)