volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Can't parse Win 11 Enterprise 23H2 images

Open Darth-Leshious opened this issue 5 months ago • 2 comments

Describe the bug Volatility will not properly parse a Windows 23H2 image.

Context Volatility Version: Volatility 3 Framework 2.26.2

Operating System: Ubuntu 22.04 (SANS SIFT WS) Python Version: Python 3.10.12 Suspected Operating System: Microsoft Windows 11 Enterprise (10.0.22631 N/A Build 22631) (23H2) Command: 'python ./vol.py -f /mnt/hgfs/SecurityOperations/Incidents/03Sep2025_DC4605LP06-CS-alert/complete.dmp windows.pslist.PsList'

To Reproduce Steps to reproduce the behavior:

  1. Use command 'python ./vol.py -vvvvv -f /mnt/hgfs/SecurityOperations/Incidents/03Sep2025_DC4605LP06-CS-alert/complete.dmp windows.pslist.PsList'
  2. See error:

INFO volatility3.cli: Volatility plugins path: ['/usr/local/src/volatility3/volatility3/plugins', '/usr/local/src/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/usr/local/src/volatility3/volatility3/symbols', '/usr/local/src/volatility3/volatility3/framework/symbols'] DEBUG volatility3.plugins.yarascan: Using yara-python module DETAIL 3 volatility3.cli: Cache directory used: /home/sansforensics/.cache/volatility3 INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler, S3FileSystemHandler, GSFileSystemHandler DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ae000 DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 19327352831 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8011be00000 DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.symbol_table_name']

Expected behavior I would expect to see some sort of Windows process listing, such as:

ID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

4 0 System 0xd2813f0ff040 339 - N/A False 2025-06-18 13:31:50.000000 UTC N/A Disabled 172 4 Registry 0xd2813f5e3080 4 - N/A False 2025-06-18 13:31:48.000000 UTC N/A Disabled 808 4 smss.exe 0xd2814729b040 2 - N/A False 2025-06-18 13:31:51.000000 UTC N/A Disabled 1104 964 csrss.exe 0xd28147da5080 12 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1192 964 wininit.exe 0xd28148f6c080 2 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1200 1184 csrss.exe 0xd28148f7d140 0 - 1 False 2025-06-18 13:31:53.000000 UTC 2025-06-21 13:08:47.000000 UTC Disabled 1264 1192 services.exe 0xd28148ff2140 10 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1300 1184 winlogon.exe 0xd28149065080 0 - 1 False 2025-06-18 13:31:53.000000 UTC 2025-06-21 13:08:45.000000 UTC Disabled 1368 1192 lsass.exe 0xd2814906d100 11 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1488 1264 svchost.exe 0xd2814928b0c0 15 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1532 1192 fontdrvhost.ex 0xd281492a7080 5 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1612 1264 svchost.exe 0xd28149318080 10 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1672 1264 svchost.exe 0xd28149331080 7 - 0 False 2025-06-18 13:31:53.000000 UTC N/A Disabled 1892 1264 svchost.exe 0xd281494940c0 0 - 0 False 2025-06-18 13:31:54.000000 UTC 2025-06-18 14:01:54.000000 UTC Disabled 1904 1264 svchost.exe 0xd28149492080 3 - 0 False 2025-06-18 13:31:54.000000 UTC N/A Disabled 1912 1264 svchost.exe 0xd28149497080 34 - 0 False 2025-06-18 13:31:54.000000 UTC N/A Disabled 1976 1264 svchost.exe 0xd281494cf0c0 3 - 0 False 2025-06-18 13:31:54.000000 UTC N/A Disabled 1984 1264 svchost.exe 0xd281494d2080 3 - 0 False 2025-06-18 13:31:54.000000 UTC N/A Disabled

Example output Please copy and paste the text demonstrating the issue, ideally with verbose output turned on (vol.py -vvv ...).

Text is preferred to screenshots for searching and to talk about specific parts of the output.

Additional information We used CrowdStrikes xmemdump to dump this memory image. We have used it successfully for Windows 10 images, but have suddenly started to have issues when we attempt to parse Win 11 23H2 images. We are able to successfully parse this image in Magnet Axiom with their Comae memory tool. If I use the identical command, but just change the input file location to a Win 10 memory dump made with the same tool, the command executes successfully. I've tried multiple Win 11 Enterprise 23H2 memory dumps with the same issue. Seems that later Win 11 issues have something going on similar to old KDBG encoding issue. Due to potential for HIPAA/PHI issues, I cannot share this memory image. I am currently unable to do any commands with this image, including windows.info.Info

Darth-Leshious avatar Sep 09 '25 22:09 Darth-Leshious

Same issue here. Tested on memory dumps taken from multiple Win 11 Enterprise 23H2 devices with the same result. No such issues with Windows 10 images.

Output as follows when running windows.info.Info:

PS C:\temp> vol -f hostname.raw -vvvvvvv windows.info.Info Volatility 3 Framework 2.26.0 INFO volatility3.cli: Volatility plugins path: ['C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\plugins', 'C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\symbols', 'C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\symbols'] DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\plugins, C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\plugins DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\automagic DETAIL 3 volatility3.cli: Cache directory used: C:\Users\username\AppData\Roaming\volatility3 INFO volatility3.framework.automagic: Detected a windows category plugin DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\symbols, C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\symbols INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0 DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ae000 DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0 DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0 DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 4 volatility3.framework: Importing from the following paths: C:\Users\username\AppData\Roaming\Python\Python312\site-packages\volatility3\framework\layers DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 36775657471 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 12444d980 with MZ offset at 124400000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf80124400000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntoskrnl.pdb at 14d063814 with MZ offset at 14cf13000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8014cf13000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 221b5a1b8 with MZ offset at 22197e000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8022197e000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 30ca171b8 with MZ offset at 30c9c3000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8030c9c3000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 355e91980 with MZ offset at 355c67000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf80355c67000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 3c39e31b8 with MZ offset at 3c3367000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf803c3367000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntoskrnl.pdb at 3cc14ab80 with MZ offset at 3cbfaa000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf803cbfaa000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntoskrnl.pdb at 3f1134b80 with MZ offset at 3f10a7000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf803f10a7000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 4b0ec6980 with MZ offset at 4b0c49000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf804b0c49000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 4da0891b8 with MZ offset at 4d9f5d000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf804d9f5d000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntoskrnl.pdb at 6ed4a4b80 with MZ offset at 6ed296000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf806ed296000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntkrnlmp.pdb at 6fe5f21b8 with MZ offset at 6fe395000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf806fe395000 DETAIL 4 volatility3.framework.automagic.pdbscan: Testing potential kernel for ntoskrnl.pdb at 727f03b80 with MZ offset at 727b0d000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf80727b0d000 DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

badaboing avatar Sep 10 '25 15:09 badaboing

I've been using volatility with Windows 11 Enterprise/Pro memory images and I'm not experiencing the same issue. All dumps are via DumpIt. I've tried both 2.26.2 and 2.27.1 with other Windows 11 builds (below) and I can't reproduce what you're seeing. Are you able to grab a memory dump using DumpIt just to check? I'll try with another 11 Enterprise build tomorrow evening.

OS Name:                       Microsoft Windows 11 Enterprise
OS Version:                    10.0.26200 N/A Build 26200

$ python3 vol.py -f ../../volatility3/23H2-26200/redacted.dmp windows.pslist
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xc50904699040  174     -       N/A     False   2025-12-16 05:15:44.000000 UTC  N/A     Disabled
124     4       Registry        0xc509047e1080  4       -       N/A     False   2025-12-16 05:15:41.000000 UTC  N/A     Disabled
472     4       smss.exe        0xc50908d88080  2       -       N/A     False   2025-12-16 05:15:44.000000 UTC  N/A     Disabled
648     616     csrss.exe       0xc5090a632080  12      -       0       False   2025-12-16 05:15:48.000000 UTC  N/A     Disabled

and

OS Name:                   Microsoft Windows 11
OS Version:                10.0.22631 N/A Build 22631

$ python3 vol.py -f ../../volatility3/23H21/redacted.dmp windows.pslist
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

4       0       System  0xd68f8d8b6040  148     -       N/A     False   2025-12-16 04:27:26.000000 UTC  N/A     Disabled
112     4       Registry        0xd68f8d99b040  4       -       N/A     False   2025-12-16 04:27:23.000000 UTC  N/A     Disabled
440     4       smss.exe        0xd68f90945040  4       -       N/A     False   2025-12-16 04:27:26.000000 UTC  N/A     Disabled
580     552     csrss.exe       0xd68f91504140  11      -       0       False   2025-12-16 04:27:30.000000 UTC  N/A     Disabled

deeFIR avatar Dec 15 '25 11:12 deeFIR

Grabbed a memory dump today using DumpIt and had the same result, unfortunately.

OS Edition: Windows 11 Enterprise OS Build: 22631.6345

badaboing avatar Dec 31 '25 15:12 badaboing

It's going to be very difficult to diagnose what's going on without an example memory image that experiences the issue. Can anyone provide a clean install that they can share which suffers from this problem please? It looks as though it successfully found an intel layer at least, but locating windows on top of it appears to fail for some reason, we'll need to image to figure out why...

ikelos avatar Dec 31 '25 15:12 ikelos

Same issue here.

Image

Python.3.13 Volatility 2.26.2 Used Magnet DumpIt

vol.exe -vvvvvv -l volverbose.txt -f C:\users\azureuser\downloads\Comae-Toolkit-v20230117\x64\WS-MTHORNE-20260107-135232.dmp windows.pslist

volverbose.txt

Here is an image: https://filebin.net/es2hislefx5g52aa

anthony-pierce avatar Jan 07 '26 14:01 anthony-pierce

For people having difficulty with certain Windows 11 images, there is now a pull request in testing to try to resolve the issue. If you know how, we'd much appreciate people testing the #1929 pull request and letting us know whether it now improves the situation.

For a more detailed reason as to why this works, a heuristic was used to find the "map" that explains how the memory is laid out. In windows, one particular part of that map always points to itself, and we used this fact to quickly identify it. The map also always tended to live in a particular location. Some recent images have shown that Microsoft now stores the map in a location that can fall outside the area we were previously checking, and there can now be a false map which points to itself, but contains next to no other entries, right where we'd expect the real map to be. For this reason, volatility was detecting that map and trying to use it, which led to it being unable to detect Windows on those images.

The new patch improves the heuristic by expanding the search area significantly and improving the verification of the map to rule out maps with a very small number of entries (likely too few to support a running system). We may still be able to make improvements on this, but we'd need people with images that failed to run the patched version of volatility (available as #1929) with the debug flags -vvvvvvv and report the hex offset of the DTB value that was found (and whether windows 11 was successfully identified). With enough samples we can minimize the areas we need to examine on new images.

So please could anyone experiencing issues with a Windows 11 image and volatility 3 test this pull request if you're able, and report back whether it works (and if possible the identified DTB value as found in the -vvvvvvv output).

ikelos avatar Jan 08 '26 23:01 ikelos