How to capture memory mapped I/O events?

[manishshukla]

Hi

I am trying to capture the read/write from notepad.exe which turns out to be using memory mapped I/O. For that I started the SilkETW as follows:

SilkETW.exe -t kernel -kk VAMap -ot file -p c:\temp\sample\output.json

For a 120 second session, in which notepad.exe is opened with a text file, I received not a single read/write event for the notepad.exe.

Please suggest what is the right way to do that. Thanks.

[FuzzySecurity]

Hey @manishshukla sorry I can't assist with specific data collection. I hope you managed to solve this issue :thumbsup: