Issues loading VMRS file (Hyper-V checkpoint)

[SchlesHammer]

When attempting to load in VMRS file from Hyper-V (standard) checkpoint, getting the error: "DEVICE: FAILED: Hyper-V Saved State found - but not possible to open. Result 0x80070002 MemProcFS: Failed to connect to memory acquisition device." Using the commands: MemProcFS.exe -device [guid].VMRS or MemProcFS.exe -device hvsavedstate://[guid].VMRS have the same results. I have also tried with and without the 'vmsavedstatedumpprovider.dll' file from the Windows SDK in the root of MemProcFS.

[ufrisk]

The error code is ERROR_FILE_NOT_FOUND.

Are you specifying the whole path the the VMRS file?

Also, make sure you're using the latest Windows SDK. The Windows SDK will have to be at least or greater than the version number of the hyper-v host.

Please let me know if it works better if you use the full path to the file.

[SchlesHammer]

Thanks for the reply!

Yep, I just double-checked the path. I am using the full path to the VMRS file. After the checkpoint was done, I copied the VMRS file from the hypervisor to our forensic workstation but I am using the full path to the VMRS file on our forensic workstation. That shouldn't affect anything, right?

As for the Windows SDK version, I believe I have the latest installed (Windows SDK 10.0.22621.2428). The Hyper-V host is version 10.0.2348, as is the version of the guest VM which I have the checkpoint. I feel like I am missing something here. Haha.

Thanks in advance!

[ufrisk]

You can try to add additional command-line options -v -vv to see if you get some more verbose message.

If this is not working I'm afraid I can't do much more without having access to the problematic VMRS file. If you'd be able to share it, it would be nice. But I totally understand if this is not possible.

[SchlesHammer]

Unfortunately I don't get anything additional with those options included and I can't send the VMRS file in this instance. In the future, I will try to get a test system with this same issue sent to you if I don't sort this out by then. Thanks again for your assistance!

[ufrisk]

Hi, nothing much to do about this. If you should come across this issue in a system which you're able to share the memory dump from I'd be very interested to take a look.

For now I'm closing this issue since there is no way I can know whether it's a real issue or if its some kind of user error (wrong type of checkpoint, etc). and I cannot replicate this issue.