Searching a Memory Dump

[wiretap]

Hi =)

I have a 2GB memory dump that I forced manually. I have to find
specific information that was within an application at the time of the
dump. I have no clue where it would be, or how to access it. I have the
windows debug tool installed, and I am able to open the memory.dmp file
in it. I'm a little confused as how to navigate around to find certain
things. I tried to look in the help file, but it seems to want certain
memory locations to be specified when you search memory. I don't know
the location, but I know the application. Could anyone please point me
in the right direction? If it helps, what I am searching for is 128
bits long, so 16 bytes, or 32 hexadecimal characters. I cannot say what
I am looking for, because this is for a private project I am working on
at the moment.

To sum things up..
- dumped memory to .dmp file, opened it in windbg.exe
- looking for specific string stored in RAM
- just need help on how to do the search if I already know the
application

Thanks.
wiretap

 

[Gerry Cornell]

Have you heard the story of the tortoise and the hare. Well you could
be taking on the role of the hare.

Can you provide a complete copy of the Stop Error Report?

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Keep pressing the
F8 key during StartUp and select option - Disable automatic restart on
system failure.

Do not re-enable automatic restart on system failure until you have
resolved the problem. Check for variants of the Stop Error message.

There will also be Error Reports in Event Viewer. Please post copies.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

Part of the Description of the error will include a link, which you
should double click for further information. You can copy using copy
and paste. Often the link will, however, say there is no further
information.
http://go.microsoft.com/fw.link/events.asp
(Please note the hyperlink above is for illustration purposes only)

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event Viewer.
Now start your message (email) and do a paste into the body of the
message. Make sure this is the first paste after exiting from Event
Viewer.



--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[wiretap]

No... I forced the memory dump on purpose because I want to find
something in it. The computer is functioning normally, nothing is wrong
with it.

 

[Ron Martell]

Hi =)

I have a 2GB memory dump that I forced manually. I have to find
specific information that was within an application at the time of the
dump. I have no clue where it would be, or how to access it. I have the
windows debug tool installed, and I am able to open the memory.dmp file
in it. I'm a little confused as how to navigate around to find certain
things. I tried to look in the help file, but it seems to want certain
memory locations to be specified when you search memory. I don't know
the location, but I know the application. Could anyone please point me
in the right direction? If it helps, what I am searching for is 128
bits long, so 16 bytes, or 32 hexadecimal characters. I cannot say what
I am looking for, because this is for a private project I am working on
at the moment.

To sum things up..
- dumped memory to .dmp file, opened it in windbg.exe
- looking for specific string stored in RAM
- just need help on how to do the search if I already know the
application

The PSTAT utility will give you the memory load addresses for
applications, device drivers, etc. That may help you to cut down on
the portion of the memory dump you need to search through.
Use PSTAT > C:\PSTAT.TXT to save the output as a text file, which may
be more useful.

Also have you tried the FIND utility in Windows XP (run it from a
command prompt. Use FIND /? to see the parameters and options)?

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca
Syberfix Remote Computer Repair

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[wiretap]

Thank you. That was of much help. =)

**TOPIC CLOSED**