WinPmem icon indicating copy to clipboard operation
WinPmem copied to clipboard
verified publisher icon Velocidex

Failed to Dump in AD based system

Open prashant-09-tech opened this issue 10 months ago • 10 comments

I am using this winpmem_mini_x64_rc2(1).exe and it work on formatted system but but it's not working properly on systems that are part of Active Directory (AD) or were previously joined to AD. @scudette

prashant-09-tech avatar Apr 08 '25 10:04 prashant-09-tech

When you say not working properly, what do you mean? Does it load the driver at all? It's there any error in the log file?

scudette avatar Apr 08 '25 11:04 scudette

When you say not working properly, what do you mean? Does it load the driver at all? It's there any error in the log file?

scudette avatar Apr 08 '25 12:04 scudette

I am using properly and it works on fresh/formatted system but It is not working on AD based system , It dump the 0 kb file size and it fails to load the driver @scudette

prashant-09-tech avatar Apr 08 '25 12:04 prashant-09-tech

Is there anything in the event log to suggest why the driver is not loading? Likely this is some policy enforced by group policy that prevents the driver from loading.

There is really not much we can do about that. It's really a windows security measure to prevent loading of drivers

scudette avatar Apr 09 '25 01:04 scudette

No, there are no suggestions. If the driver is not loading due to a Windows security issue, then why does it work on a formatted/fresh system? I am using this command on a fresh system: "winpmem_mini_x64_rc2(1).exe sample.raw", and I am executing it in CMD with administrator privileges. @scudette

prashant-09-tech avatar Apr 09 '25 05:04 prashant-09-tech

@scudette Could you give some suggestion for AD Based system ?

prashant-09-tech avatar Apr 10 '25 06:04 prashant-09-tech

I would be looking for messages in the event log about why the driver didn't load. Additionally you can get debugging messages from the driver using debug view from sysinternals.

First establish if the driver can load at all using the -l flag. Then check if the memory address ranges returned are reasonable. The ranges are reported in the debug view output.

scudette avatar Apr 10 '25 07:04 scudette

After you suggestion i ran this command "winpmem_mini_x64_rc2(1).exe -l sample.raw" in AD based system and i got this "WinPmem64 Extracting driver to C:\Users\Pardeep\AppData\Local\Temp\pme4F72.tmp Driver Unloaded. Deleting C:\Users\Pardeep\AppData\Local\Temp\pme4F72.tmp" @scudette

prashant-09-tech avatar Apr 11 '25 05:04 prashant-09-tech

the -l flag just loads the driver but does not do any acquisition

Image

You can see what is happening with dbgview

Image

you can check the event log viewer to see the service is installed

Image

If there is a security software of AD setting that prevents the driver from loading you will be able to see something in the event log

scudette avatar Apr 14 '25 06:04 scudette

I tried but failed to get the information . In AD based system driver is not loaded .I got this WinPmem64 Extracting driver to C:\Users\Pardeep\AppData\Local\Temp\pme4F72.tmp Driver Unloaded. Deleting C:\Users\Pardeep\AppData\Local\Temp\pme4F72.tmp

If system is formatted and Not in AD .

WinPmem64 Extracting driver to C:\Users\Admin\AppData\Local\Temp\pme3E87.tmp Driver Unloaded. Loaded Driver C:\Users\Admin\AppData\Local\Temp\pme3E87.tmp. Deleting C:\Users\Admin\AppData\Local\Temp\pme3E87.tmp

could you tell why driver is not loading @scudette

prashant-09-tech avatar Apr 16 '25 12:04 prashant-09-tech