[Vol-users] How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?

Michael Hale Ligh michael.hale at gmail.com
Mon Oct 7 14:13:45 CDT 2013


For best speed, I would suggest running Volatility on a Linux or Mac host
machine. The first step in troubleshooting is to see if other commands also
take a long time. How long does plist take?


On Sun, Sep 15, 2013 at 7:17 PM, Todd A <starman617 at gmail.com> wrote:

>  Hi List,
> Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of
> RAM.
> I'm new to volatility and I'm attempting to use it to troubleshoot apps
> that don't play nice with the Windows clipboard. I'm using the steps here:
> http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-Clipboard-Monitoring-Malware-with-Volatility.html
> I changed my registry to force a complete memory dump by setting
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled
> to be 1. (http://support.microsoft.com/kb/969028)
> I used System Internal's NotMyFault tool with the /crash switch to create
> the dump. (https://code.google.com/p/volatility/wiki/CrashAddressSpace)
> The resulting c:\windows\memory.dmp file is about 34GB in size.
> When I launch volatility, this is as far as it gets:
> C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
> c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
> Volatile Systems Volatility Framework 2.2
> It has been showing this for close to 3.75 hours. Task Manager shows two
> instances of volatility-2.2.standalone.exe running, one at a constant
> 1,144K RAM usage, and the other instance with RAM usage constantly changing
> in the range of 58MB to 73MB, averaging 13% CPU utilization. To mean this
> indicates it is doing *something* even if it is caught in an infinite
> loop.
> If it's reasonable for volatility to run this long and longer, I'll just
> be patient, though it would be helpful if someone could give me an idea of
> how long it might take.
> If this is taking too long, what can I do to troubleshoot what it's doing?
> Kind regards,
> Todd
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131007/2c1ad780/attachment-0001.html

More information about the Vol-users mailing list