O'Reilly logo

Advanced Windows Memory Dump Analysis with Data Structures, Third Edition by Dmitry Vostokov, Software Diagnostics Services

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Selected Q&A

 

Q. In the case there is a large number of RDP sessions do we have one session per RDP connection?

 

A. Yes and this is the same for Citrix terminal services, ICA connections.

 

Q. Is there a difference between .process /r /p and !process 3f ?

 

A. Yes, the former command sets the process as the current process and the latter merely lists process threads and their stack traces.

 

Q. Is there any way to get the data of specific registry keys or values from the hive? Let's say I needed to know what was stored in HKCU\Control Panel\Desktop\Wallpaper - how would I find that?

 

A. I propose a simple memory search for memory dumps based on the fact that registry hive pages were mapped into memory. For example, we can search mapped views for Desktop ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required