Re: [Vol-users] No shimcache data found
Jamie Levy
19 Jun
2013
19 Jun
'13
1:04 p.m.
The key/data is probably paged out, it happens sometimes. You can
verify if there is anything there by examining the keys manually.
First you should find the CurrentControlSet (or you can look at all of
them if you don't know) and then use printkey (assuming controlset is
ControlSet001):
$ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
"ControlSet001\Control\Session Manager\AppCompatCache"
Let me know if you find something.
All the best,
-gleeda
On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort(a)effu.se> wrote:
I look at mostly Win7/64 systems and have always found
shimcache data in memory images before. In the last several weeks only about 50% of the
images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have
been all this time).
While not strictly a Volatility issue, could someone explain under what circumstances the
data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1
and part 2 on my bookshelf, waiting...)
Thanks!
--
chort
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92