<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Michael, thanks for getting back to me. I'll give plist a try,
    time it and report back. The wndscan did eventually finish by the
    next morning.<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 10/7/2013 12:13 PM, Michael Hale
      Ligh wrote:<br>
    </div>
    <blockquote
cite="mid:CAFM6LVDAD4KncSg-WHjn9S2+_8Vc4iRfNm=vBX8s1vaAx6uWJQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Todd,&nbsp;
        <div><br>
        </div>
        <div>For best speed, I would suggest running Volatility on a
          Linux or Mac host machine. The first step in troubleshooting
          is to see if other commands also take a long time. How long
          does plist take?&nbsp;</div>
        <div><br>
        </div>
        <div>Thanks,</div>
        <div>Michael</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Sun, Sep 15, 2013 at 7:17 PM, Todd A
          <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:starman617@gmail.com" target="_blank">starman617@gmail.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi List,<br>
              <br>
              Running volatility-2.2.standalone.exe on Win7 Pro 64bit
              AMD with 32GB of RAM.<br>
              <br>
              I'm new to volatility and I'm attempting to use it to
              troubleshoot apps that don't play nice with the Windows
              clipboard. I'm using the steps here:
              <a moz-do-not-send="true"
href="http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-Clipboard-Monitoring-Malware-with-Volatility.html"
                target="_blank">http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-Clipboard-Monitoring-Malware-with-Volatility.html</a><br>
              <br>
              I changed my registry to force a complete memory dump by
              setting
              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled

              to be 1. (<a moz-do-not-send="true"
                href="http://support.microsoft.com/kb/969028"
                target="_blank">http://support.microsoft.com/kb/969028</a>)<br>
              <br>
              I used System Internal's NotMyFault tool with the /crash
              switch to create the dump. (<a moz-do-not-send="true"
                href="https://code.google.com/p/volatility/wiki/CrashAddressSpace"
                target="_blank">https://code.google.com/p/volatility/wiki/CrashAddressSpace</a>)<br>
              <br>
              The resulting c:\windows\memory.dmp file is about 34GB in
              size.<br>
              <br>
              When I launch volatility, this is as far as it gets:<br>
              <blockquote>C:\Users\taa\Downloads&gt;volatility-2.2.standalone.exe

                -f c:\windows\memory.dmp --profile=Win7SP1x64 wndscan<br>
                Volatile Systems Volatility Framework 2.2<br>
              </blockquote>
              It has been showing this for close to 3.75 hours. Task
              Manager shows two instances of
              volatility-2.2.standalone.exe running, one at a constant
              1,144K RAM usage, and the other instance with RAM usage
              constantly changing in the range of 58MB to 73MB,
              averaging 13% CPU utilization. To mean this indicates it
              is doing <i>something</i> even if it is caught in an
              infinite loop.<br>
              <br>
              If it's reasonable for volatility to run this long and
              longer, I'll just be patient, though it would be helpful
              if someone could give me an idea of how long it might
              take.<br>
              <br>
              If this is taking too long, what can I do to troubleshoot
              what it's doing?<br>
              <br>
              Kind regards,<br>
              Todd<br>
            </div>
            <br>
            _______________________________________________<br>
            Vol-users mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilityfoundation.org</a><br>
            <a moz-do-not-send="true"
              href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users"
              target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>