[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Flushing DLLs follow-up
From:       DE VILLIERS IAN <ian.devilliers () bmw ! co ! za>
Date:       2001-10-24 7:13:14
[Download RAW message or body]

The easiest way to do this is normally by using the Kill utility on the
Resource kit and killing the Winlogon service.  This requires administrative
rights though.

Alternatively, the last time I did this, I used a bug in NT/Win2K posted on
Bugtraq (My apologies - I have forgotten who posted the article but I assume
you can check it in the archives) for which there arent fixes available yet
(to my knowledge).  This involves opening a DOS box, entering a command and
after entering the command, pressing F7 (to display the history) and enter
in quick succession.  This causes a memory dump no matter which user account
is logged on.

Hope this helps.

Regards,

Ian de Villiers

-----Original Message-----
From: Frank Heyne [mailto:fh@rcs.urz.tu-dresden.de]
Sent: 24 October 2001 08:56
To: DE VILLIERS IAN; 'forensics@securityfocus.com';
'focus-ms@securityfocus.com'
Subject: RE: Flushing DLLs follow-up


On 24 Oct 01, at 8:21, DE VILLIERS IAN wrote:

> I used a reasonably effective although probably unorthodox way of dumping
> the memory to disk - check that your crash recovery options dump the
> complete RAM to disk and cause a blue screen.

How do you cause a blue screen on a fully patched system? Is it possible 
when you are logged on as a normal user or do you need to run under admin 
account to do this?

Greetings

Frank Heyne

[prev in list] [next in list] [prev in thread] [next in thread]