Re: [Vol-users] How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?

Hi List, Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of RAM. I'm new to volatility and I'm attempting to use it to troubleshoot apps that don't play nice with the Windows clipboard. I'm using the steps here: http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-C… I changed my registry to force a complete memory dump by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled to be 1. (http://support.microsoft.com/kb/969028) I used System Internal's NotMyFault tool with the /crash switch to create the dump. (https://code.google.com/p/volatility/wiki/CrashAddressSpace) The resulting c:\windows\memory.dmp file is about 34GB in size. When I launch volatility, this is as far as it gets: C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f c:\windows\memory.dmp --profile=Win7SP1x64 wndscan Volatile Systems Volatility Framework 2.2 It has been showing this for close to 3.75 hours. Task Manager shows two instances of volatility-2.2.standalone.exe running, one at a constant 1,144K RAM usage, and the other instance with RAM usage constantly changing in the range of 58MB to 73MB, averaging 13% CPU utilization. To mean this indicates it is doing *something* even if it is caught in an infinite loop. If it's reasonable for volatility to run this long and longer, I'll just be patient, though it would be helpful if someone could give me an idea of how long it might take. If this is taking too long, what can I do to troubleshoot what it's doing? Kind regards, Todd _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users