-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 9/17/2010 2:33 PM, Carlos Perez wrote: > http://moonsols.com/blog/9-moonsols-windows-memory-toolkit > > this should help you, > > for the previous ones you used If you have UAC running you will > have to use psexec -s to run the imager as System >
Thanks, that worked. It took a bit of tweaking to get it running remotely, as I don't have hands on the box, but I got it to dump. For the record, I ended up having to: 1. Copy win64dd.exe and win64dd.sys to system32. 2. Use psexec to spawn a cmd as system from the remote box. 3. Run win64dd.exe /r /a /f name.img Trying to run the dump direct from a remote psexec session kept throwing errors, as did running it through a shuttled cmd from another place on the file system. The next "D'oh" is that Audit Viewer/Memoryze isn't 64-bit aware yet. Should have thought of that before this. I think I have a Volatility build somewhere, but not sure if that is 64-bit aware yet or not. ZT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAkyTySkACgkQMRelb3QdcMcgtQD/Ti4hh7IneV+ric5gQABLatjn DBRA0rnvYzcit+OPyjUA/ivwhUMU/EqF5RPJ7vT3Yxr/+QHN2YM4yNq6gaMovL08 =EIM7 -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
