scudette
commented
4 years ago I have no idea what pcm.exe is and what it does? Are you able to load the driver using winpmem.exe -l?
Open zinebbe opened 4 years ago
scudette
commented
4 years ago I have no idea what pcm.exe is and what it does? Are you able to load the driver using winpmem.exe -l?
zinebbe
commented
4 years ago This is what I get when running the winpmem.exe -l command:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>winpmem.exe -l WinPmem64 Extracting driver to C:\Users\User\AppData\Local\Temp\pme7563.tmp Driver Unloaded. Loaded Driver C:\Users\User\AppData\Local\Temp\pme7563.tmp. Deleting C:\Users\User\AppData\Local\Temp\pme7563.tmp
On Mon, Nov 23, 2020 at 7:56 PM Mike Cohen notifications@github.com wrote:
I have no idea what pcm.exe is and what it does? Are you able to load the driver using winpmem.exe -l ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732513238, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJX3FYWYXLWZKZ6ETO3SRMADVANCNFSM4UAFNJLA .
-- Regards, Zineb
scudette
commented
4 years ago Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmemhere is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query winpmem
SERVICE_NAME: winpmem TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32_EXIT_CODE : 31 (0x1f) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen notifications@github.com wrote:
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732522120, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA .
-- Regards, Zineb
zinebbe
commented
4 years ago So why is the state stopped? Aslo how to take a memory image please?
On Mon, Nov 23, 2020 at 8:41 PM Zineb Benameur-El Youbi zinebbe@umich.edu wrote:
here is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query winpmem
SERVICE_NAME: winpmem TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32_EXIT_CODE : 31 (0x1f) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen notifications@github.com wrote:
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732522120, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA .
-- Regards, Zineb
-- Regards, Zineb
scudette
commented
4 years ago just run it like winpmem.exe foo.dd
Make sure you use the release binary from the releases page rather than try to build it from source - otherwise you need to sign the driver somehow.
zinebbe
commented
4 years ago I actually built the source code to get the .exe file.
Could you please point me to the release page where I can find the .exe file to run? (I don't seem to find it on the github repo) Thanks again
On Mon, Nov 23, 2020 at 9:05 PM Mike Cohen notifications@github.com wrote:
just run it like winpmem.exe foo.dd
Make sure you use the release binary from the releases page rather than try to build it from source - otherwise you need to sign the driver somehow.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732538861, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJUISHUNMBRF3XBVMBTSRMIGVANCNFSM4UAFNJLA .
-- Regards, Zineb
scudette
commented
4 years ago 
zinebbe
commented
4 years ago Thank you for your response. Here is the output: C:\Users\User\Desktop\WinPmem-master>winpmem_mini_x64_rc2.exe foo.dd WinPmem64 Extracting driver to C:\Users\User\AppData\Local\Temp\pme5B65.tmp Driver Unloaded. Loaded Driver C:\Users\User\AppData\Local\Temp\pme5B65.tmp. Deleting C:\Users\User\AppData\Local\Temp\pme5B65.tmp The system time is: 02:18:37 Will generate a RAW image
00% 0x00000000 . copy_memory
00% 0x00001000 . Padding from 0x0005C000 to 0x0005D000 pad
00% 0x0005C000 . copy_memory
00% 0x0005D000 . Padding from 0x000A0000 to 0x00100000 pad
00% 0x000A0000 . copy_memory
00% 0x00100000 .................................................. 09% 0x32100000 .................................................. 18% 0x64100000 .................................................. 27% 0x96100000 .................................................. 36% 0xC8100000 ......... Padding from 0xD073D000 to 0xD1C0F000 pad
37% 0xD073D000 .. copy_memory
38% 0xD1C0F000 . Padding from 0xD1C10000 to 0x100000000 pad
38% 0xD1C10000 ............................................... copy_memory
46% 0x100000000 .................................................. 55% 0x132000000 .................................................. 64% 0x164000000 .................................................. 73% 0x196000000 .................................................. 82% 0x1C8000000 .................................................. 91% 0x1FA000000 .............................................. The system time is: 02:20:31 Driver Unloaded.
It also genarated the .dd file (8.5 G)
On Mon, Nov 23, 2020 at 9:14 PM Mike Cohen notifications@github.com wrote:
[image: image] https://user-images.githubusercontent.com/3856546/100037749-7fb7a280-2e4e-11eb-9b15-f316fa9d1bba.png
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732541588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJX2L53RPHMKCCZPSI3SRMJHTANCNFSM4UAFNJLA .
-- Regards, Zineb
mhhajeer
commented
3 years ago same problem here. I guess it has to do with write not being enabled. I have tried to enable it by "winpmem.exe -w -l" while running in a test mode, but no luck as it complains of "Failed to set write mode. Maybe these drivers do not support this mode?"
PS: there are also some syntax errors with pmem write enable under read.c PmemWrite line 687 and line 691
scudette
commented
3 years ago We do not release drivers with write mode enabled. You do not need these to acquire memory.
Mike Cohen Digital Paleontologist, Velocidex Enterprises M +61 470 238 491 <+61+470+238+491> E @. @.>
On Sun, Apr 25, 2021 at 7:00 PM Mustafa Hajeer @.***> wrote:
same problem here. I guess it has to do with write not being enabled. I have tried to enable it by "winpmem.exe -w -l" while running in a test mode, but no luck as it complains of "Failed to set write mode. Maybe these drivers do not support this mode?"
PS: there are also some syntax errors with pmem write enable under read.c PmemWrite line 687 and line 691
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-826286890, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIR3YYUT4ATSHQDYSFTTKPK37ANCNFSM4UAFNJLA .
mhhajeer
commented
3 years ago Thanks Mike, I am using this for testing purposes only and I am trying to compile/build a working write enabled driver using the notes in https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so far with .sys driver or with the .exe tool :(
scudette
commented
3 years ago You have to rebuild the driver in visual studio and then take the sys file to place into the bisque binaries folder and then compile the user space program using visual studio as well.
Then you need to set your system into loading test drivers with bcdedit otherwise you can't load the unsigned driver.
What specific errors are you getting in building?
Thanks Mike
On Tue, Apr 27, 2021, 01:56 Mustafa Hajeer @.***> wrote:
Thanks Mike, I am using this for testing purposes only and I am trying to compile/build a working write enabled driver using the notes in https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so far with .sys driver or with the .exe tool :(
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-826951234, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRITJRSJTQK2GJ4XZOHDTKWEJXANCNFSM4UAFNJLA .
mhhajeer
commented
3 years ago Thank you, will give that a shot. I am getting syntax errors in "read.c PmemWrite line 687 and line 691" when:
Also, after fixing these syntax errors and building the .sys, the service cannot start on windows using this sys for some reason if I try to start with sc.exe
chadbrewbaker
commented
1 year ago Bump. Could you see why winpmem latest release is failing on windows-latest GitHub worker?
name: TestJob
on:
#manually trigger
workflow_dispatch:
jobs:
run_win:
runs-on: windows-latest
steps:
-name: Run script
run: |
curl -OL URI/winpmem.exe
./winpmem.exe dump.raw
dir
Is this related to this issue? Are you compiling your own driver? If you do you will need to sign it
I am trying to use the pcm (performance counter) and using the winpmem driver.
I have the following error on the event viewer: The winpmem service failed to start due to the following error: A device attached to the system is not functioning.
I am using the x64.sys file and storing it in the same directory where I run my pcm.exe
Could you kindly help?
Thanks