If you want an instant kernel dump, kill the SMSS process... :) It might not get you what you need in terms of info, though, but it is worth one try on a different (victim) system.
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, Aug 28, 2014 at 8:51 PM, Ben Scott <[email protected]> wrote: > On Thu, Aug 28, 2014 at 8:40 PM, Daniel Chenault <[email protected]> > wrote: > > My first step would be to scan my machine for malware. > > Everything here runs Trend OfficeScan real-time, and does a full > scan once a week. Nobody runs with admin rights for day-to-day. > Software Restriction Policies deny execute to most user-writable > locations, including most everything under <C:\Users>. Our email > filters trap any executable of any kind (by signature, not name). Our > web filter tries to block executables from being downloaded (efficacy > is an open question). AutoRun is completely disabled via registry > redirection. Windows Updates are forced via WSUS. We update apps via > GPO/MSI when possible. > > While I will *never* rule out a malware compromise, and we do have > some weaknesses (as do all), we're in a better position than most. > > > After that I'd get a known good machine on my network segment > > running WireShark, set as large a buffer as possible and let it run. > > When the fault occurs I've caught it and can examine from there. > > Hmmm. I've been assuming it's of machine local origin, but it's > good point that it might actually be triggered by something on the > network. I can set-up another PC with a sniffer, and mirror my switch > port to that. Wireshark does have a circular buffer feature. > > I'll keep that in mind and give it a shot if nothing better comes along > soon. > > Thanks... > > -- Ben > > >
