[Vol-users] How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?

Todd A starman617 at gmail.com
Thu Oct 10 10:06:56 CDT 2013


Hi Michael, thanks for getting back to me. I'll give plist a try, time 
it and report back. The wndscan did eventually finish by the next morning.


On 10/7/2013 12:13 PM, Michael Hale Ligh wrote:
> Todd,
>
> For best speed, I would suggest running Volatility on a Linux or Mac 
> host machine. The first step in troubleshooting is to see if other 
> commands also take a long time. How long does plist take?
>
> Thanks,
> Michael
>
>
> On Sun, Sep 15, 2013 at 7:17 PM, Todd A <starman617 at gmail.com 
> <mailto:starman617 at gmail.com>> wrote:
>
>     Hi List,
>
>     Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with
>     32GB of RAM.
>
>     I'm new to volatility and I'm attempting to use it to troubleshoot
>     apps that don't play nice with the Windows clipboard. I'm using
>     the steps here:
>     http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-Clipboard-Monitoring-Malware-with-Volatility.html
>
>     I changed my registry to force a complete memory dump by setting
>     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled
>     to be 1. (http://support.microsoft.com/kb/969028)
>
>     I used System Internal's NotMyFault tool with the /crash switch to
>     create the dump.
>     (https://code.google.com/p/volatility/wiki/CrashAddressSpace)
>
>     The resulting c:\windows\memory.dmp file is about 34GB in size.
>
>     When I launch volatility, this is as far as it gets:
>
>         C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
>         c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
>         Volatile Systems Volatility Framework 2.2
>
>     It has been showing this for close to 3.75 hours. Task Manager
>     shows two instances of volatility-2.2.standalone.exe running, one
>     at a constant 1,144K RAM usage, and the other instance with RAM
>     usage constantly changing in the range of 58MB to 73MB, averaging
>     13% CPU utilization. To mean this indicates it is doing
>     /something/ even if it is caught in an infinite loop.
>
>     If it's reasonable for volatility to run this long and longer,
>     I'll just be patient, though it would be helpful if someone could
>     give me an idea of how long it might take.
>
>     If this is taking too long, what can I do to troubleshoot what
>     it's doing?
>
>     Kind regards,
>     Todd
>
>     _______________________________________________
>     Vol-users mailing list
>     Vol-users at volatilityfoundation.org <mailto:Vol-users at volatilityfoundation.org>
>     http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131010/a4383162/attachment.html


More information about the Vol-users mailing list