Analyze process in a full system memory dump

I have received from customer a full memory dump. Not only of the process I am interested in. Because a full memory dump can be extracted at runtime without any side effects (virtual machine).

I tried to import this dump with dotMemory (2018.1.4) but it simply failed.

Do you have any hints or ideas how to get this working? Either import that dump directly or recommend any tool which can extract a process dump from a full system memory dump.

0
3 comments

Hello,

Could you please provide any information on this error? Please make a screenshot or copy the error message.

 

0
Avatar
Permanently deleted user

This is the error message I get. It is a full kernel mode dump file.

0

dotMemory retrieves information about object references and field values from the imported dump file. Thus, dotMemory can import only the dump which contains info about all address space of the process otherwise the data will be inconsistent.

dotMemory can analyze only process dumps with FullMemory flag. For example, you can obtain such dump via Windows Task Manager, Process Explorer, ProcDump (-ma parameter) or any other similar tools.

Import of the full kernel mode dump file has not been tested and we have done nothing to support it. Apparently, it doesn't work out-of-the-box and won't be implemented in the near future.
If it's possible, please ask your customer to create full memory dump of a certain process instead.
1

Please sign in to leave a comment.