This means that the DTB (page directory) for the process doesn&#39;t appear valid, which is typically because the process has exited (although the _EPROCESS structure itself may still exist, its page tables can be corrupt). Can you check the exit time for this process with pslist or psscan?<div>
<br></div><div>MHL<br><div><br><div class="gmail_quote">On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <span dir="ltr">&lt;<a href="mailto:robdewhirst@gmail.com" target="_blank">robdewhirst@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Have never seen this error when trying to dump a process.  Any<br>
suggestions? tried -u as well with the same results.<br>
<br>
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684<br>
Volatile Systems Volatility Framework 2.2<br>
Process(V) ImageBase  Name                 Result<br>
---------- ---------- -------------------- ------<br>
0x89b1e020 ---------- redactedxxxxx.e      Error: Cannot acquire process AS<br>
_______________________________________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
</blockquote></div><br></div></div>