{"id":2463,"date":"2015-02-18T21:29:02","date_gmt":"2015-02-18T20:29:02","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=2463"},"modified":"2015-02-19T09:29:26","modified_gmt":"2015-02-19T08:29:26","slug":"windows-initate-a-kernel-memory-dump","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-initate-a-kernel-memory-dump\/","title":{"rendered":"Windows: Initate a kernel memory dump"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_2463 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_2463')){$('.twoclick_social_bookmarks_post_2463').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Initate%20a%20kernel%20memory%20dump\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Afor%20deeper%20inspection%20of%20Windows%20it%20is%20sometimes%20necessary%20to%20get%20a%20memory%20dump%20of%20the%20machine%20to%20analyse%20these%20output%20with%20tools%20like%20volatility%20.%0D%0A%0D%0AThere%20are%20several%20ways%20to%20provoke%20windows%20to%20write%20a%20dump.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-initate-a-kernel-memory-dump\\\/\",\"post_id\":2463,\"post_title_referrer_track\":\"Windows%3A+Initate+a+kernel+memory+dump\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>for deeper inspection of Windows it is sometimes necessary to get a memory dump of the machine to analyse these output with tools like <a title=\"Volatility\" href=\"http:\/\/www.volatilityfoundation.org\/\" target=\"_blank\">volatility <\/a>.<\/p>\n<p>There are several ways to provoke windows to write a dump.<br \/>\n<!--more--><\/p>\n<p>First of all set the option that Windows writes a complete memory dump. Do it with GUI<\/p>\n<figure id=\"attachment_2471\" aria-describedby=\"caption-attachment-2471\" style=\"width: 319px\" class=\"wp-caption alignnone\"><a href=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2015\/02\/Windows-memory-dump.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-2471 \" alt=\"Option to write a complete memory dump\" src=\"http:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2015\/02\/Windows-memory-dump.png\" width=\"319\" height=\"375\" srcset=\"https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2015\/02\/Windows-memory-dump.png 399w, https:\/\/michlstechblog.info\/blog\/wp-content\/uploads\/2015\/02\/Windows-memory-dump-255x300.png 255w\" sizes=\"auto, (max-width: 319px) 100vw, 319px\" \/><\/a><figcaption id=\"caption-attachment-2471\" class=\"wp-caption-text\">Option to write a complete memory dump<\/figcaption><\/figure>\n<p>or set the option directly in the registry<\/p>\n<pre><code>\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CrashControl]\r\n\"CrashDumpEnabled\"=dword:00000001<\/code><\/pre>\n<p><em><strong>1. CrashOnCtrlScroll<\/strong><\/em><\/p>\n<p>Set the following registry keys<\/p>\n<pre><code>Windows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\i8042prt\\Parameters]\r\n\"CrashOnCtrlScroll\"=dword:00000001\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\kbdhid\\Parameters]\r\n\"CrashOnCtrlScroll\"=dword:00000001\r\n<\/code><\/pre>\n<p>After rebooting\u00a0 your box, log on press and hold the right CTRL key down and press two times ScrollLock. Windows should crash with a BSOD, Stop Code 0xE2.<\/p>\n<p>Note: This only works at the physical console not in a RDP Session because the key combination is recognized by the driver for physical keyboards. Keys stroke in a VMware ESXi Console session works.<\/p>\n<p><em><strong>2. NMI (Non maskable interrupt)<\/strong><\/em><\/p>\n<p>An NMI can be triggered either by physical hardware buttons or in virtualization environments by command line tools.<\/p>\n<p>Prepare the Windows system by setting<\/p>\n<pre><code>\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CrashControl]\r\n\"NMICrashDump\"=dword:00000001<\/code><\/pre>\n<p>Reboot Windows and test it.\u00a0 If Windows is guest within a VirtualBox VM:<\/p>\n<p>Identify your VM<\/p>\n<p><code><strong>c:\\&gt; VBoxManage.exe\u00a0 list vms<\/strong><br \/>\n\"Windows VM\" {1ee41509-843f-4dea-bdb7-2dc2bd001ea4}<br \/>\n<\/code><br \/>\nand trigger the nmi<br \/>\n<code><strong>c:\\&gt; VBoxManage.exe debugvm \"Windows VM\" injectnmi<\/strong><\/code><\/p>\n<p>Or as guest on a VMWare ESXi Server<\/p>\n<p>Login to the ESXi Console or with ssh and determine the world id of the vm<\/p>\n<pre><code>\r\n<strong>~ # esxcli vm process list| grep -A 1 Win<\/strong>\r\nWindows VM\r\n   World ID: 23445477\r\n--\r\n<\/code><\/pre>\n<p>and send the nmi trigger<br \/>\n<code><strong>~ # vmdumper 23445477 nmi<\/strong><br \/>\nSending NMI to guest...<\/code><\/p>\n<p>I have written a small Powershell script which sets and unset the registry keys for CrashOnCtrlScroll and NMI. It also\u00a0enables the Windows Crashdump and set write debug information to &#8220;complete memory dump&#8221;.<\/p>\n<p>Enable Crashdump, CrashOnCTRLScroll and NMI with<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS c:\\&gt; CrashControl.ps1 -e\r\n<\/pre>\n<p>Disable it with<\/p>\n<pre class=\"brush: powershell; title: ; notranslate\" title=\"\">\r\nPS c:\\&gt; CrashControl.ps1 -d\r\n<\/pre>\n<p><em><strong>3. NotMyFault<\/strong><\/em><\/p>\n<p>Microsoft respectively sysinternals offers the command line tool\u00a0 <a title=\"Sysinternals NotMyFault\" href=\"http:\/\/download.sysinternals.com\/files\/NotMyFault.zip\" target=\"_blank\">NotMyFault<\/a>\u00a0 to initiate a crash dump.<\/p>\n<p>Usage is very simple \ud83d\ude42<br \/>\n<code>c:\\&gt; notmyfault.exe \/crash<\/code><br \/>\nIf you want to enforce a specific bugcheck code set the parameter \/bugcheck 0xe2. Replace 0xe2 with your stop code.<br \/>\n<code>c:\\&gt; notmyfault.exe \/bugcheck 0x7b<\/code><br \/>\nNotMyFault has also so an interactive mode. To enter interactive mode start NotMyFault without any command line option.<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, for deeper inspection of Windows it is sometimes necessary to get a memory dump of the machine to analyse these output with tools like volatility . There are several ways to provoke windows to write a dump.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[466,5,4],"tags":[601,604,602,603,606,17,605,20],"class_list":["post-2463","post","type-post","status-publish","format-standard","hentry","category-security","category-windowsknowhow","category-windowsscripts","tag-crash","tag-crashonctrlscroll","tag-dump","tag-nmi","tag-notmyfault","tag-virtualbox","tag-vmdumper","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=2463"}],"version-history":[{"count":18,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2463\/revisions"}],"predecessor-version":[{"id":2483,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/2463\/revisions\/2483"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=2463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=2463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=2463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}