[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vol-users
Subject:    [Vol-users] How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?
From:       starman617 () gmail ! com (Todd A)
Date:       2013-09-15 12:58:37
Message-ID: 52364004.1070906 () gmail ! com
[Download RAW message or body]

Hi List,

Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of 
RAM.

I'm new to volatility and I'm attempting to use it to troubleshoot apps 
that don't play nice with the Windows clipboard. I'm using the steps 
here: 
http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-Clipboard-Monitoring-Malware-with-Volatility.html


I changed my registry to force a complete memory dump by setting 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled 
to be 1. (http://support.microsoft.com/kb/969028)

I used System Internal's NotMyFault tool with the /crash switch to 
create the dump. 
(https://code.google.com/p/volatility/wiki/CrashAddressSpace)

The resulting c:\windows\memory.dmp file is about 34GB in size.

When I launch volatility, this is as far as it gets:

    C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
    c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
    Volatile Systems Volatility Framework 2.2

It has been showing this for close to 3.75 hours. Task Manager shows two 
instances of volatility-2.2.standalone.exe running, one at a constant 
1,144K RAM usage, and the other instance with RAM usage constantly 
changing in the range of 58MB to 73MB, averaging 13% CPU utilization. To 
mean this indicates it is doing /something/ even if it is caught in an 
infinite loop.

If it's reasonable for volatility to run this long and longer, I'll just 
be patient, though it would be helpful if someone could give me an idea 
of how long it might take.

If this is taking too long, what can I do to troubleshoot what it's doing?

Kind regards,
Todd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilesystems.com/pipermail/vol-users/attachments/20130915/29030dd1/attachment.html



[prev in list] [next in list] [prev in thread] [next in thread]