- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
You need to install the free debugging tools from Microsoft. The tools come as part of a few different kits, but I usually download the SDK.
You also need the LiveKD.exe tools from Sysinternals. I put the LiveKD.exe in a folder that is my %PATH%-variable, so I can access it anywhere. If you don't do this, you need to use the full path when you call it.
Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run LiveKD.exe, which starts the KD.exe kernel debugger (if you want to use a graphical version, you can run LiveKD.exe -w).
Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):
.dump /f c:\temp\test.dmp
That's it! Now you have a full memory dump.
If you are running the computer you want to get the memory dump from on top of Hyper-V, you can do that easily from the host computer without touching the guest. Let's see how to do that.
This time, you need to install the debugging tools and LiveKD.exe on the host machine. The concepts are very much the same.
Open a Command Prompt with Run As Administrator and change to the directory of the debugging tools. Run the following command (change VM1 to the name of the virtual machine you want to get the dump from):
LiveKD.exe -hv VM1
The funny thing about this is that it doesn't require the guest computer to be running in debugging mode.
Wait until you see the 0: kd> prompt. Then run (make sure you really target the Temp folder):
.dump /f c:\temp\test.dmp
You can do this even faster by just running:
Subscribe to 4sysops newsletter!
LiveKD -hv <VMNAME> -p -o c:\temp\memory.dmp
If you are running a guest VM on top of VMware, you should refer to this article, which shows you how to convert a snapshot file to a memory dump with vmss2core.exe. This is often the easiest way.
How about a walkthrough on getting symbols configured for this? I have symbols working for procexp but this is driving me nuts
I will try to do that!
The answer is to always use the _NT_SYMBOL_PATH variable.