Searching a Memory Dump

Have you heard the story of the tortoise and the hare. Well you could
be taking on the role of the hare.

Can you provide a complete copy of the Stop Error Report?

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Keep pressing the
F8 key during StartUp and select option - Disable automatic restart on
system failure.

Do not re-enable automatic restart on system failure until you have
resolved the problem. Check for variants of the Stop Error message.

There will also be Error Reports in Event Viewer. Please post copies.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

Part of the Description of the error will include a link, which you
should double click for further information. You can copy using copy
and paste. Often the link will, however, say there is no further
information.
http://go.microsoft.com/fw.link/events.asp
(Please note the hyperlink above is for illustration purposes only)

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event Viewer.
Now start your message (email) and do a paste into the body of the
message. Make sure this is the first paste after exiting from Event
Viewer.



--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~



wiretap wrote:
> Hi =)
>
> I have a 2GB memory dump that I forced manually. I have to find
> specific information that was within an application at the time of
> the
> dump. I have no clue where it would be, or how to access it. I have
> the windows debug tool installed, and I am able to open the
> memory.dmp file in it. I'm a little confused as how to navigate
> around to find certain things. I tried to look in the help file, but
> it seems to want certain memory locations to be specified when you
> search memory. I don't know the location, but I know the
> application.
> Could anyone please point me in the right direction? If it helps,
> what I am searching for is 128 bits long, so 16 bytes, or 32
> hexadecimal characters. I cannot say what I am looking for, because
> this is for a private project I am working on at the moment.
>
> To sum things up..
> - dumped memory to .dmp file, opened it in windbg.exe
> - looking for specific string stored in RAM
> - just need help on how to do the search if I already know the
> application
>
> Thanks.
> wiretap

"wiretap" <hack.wiretap RemoveThis @gmail.com> wrote:

>Hi =)
>
>I have a 2GB memory dump that I forced manually. I have to find
>specific information that was within an application at the time of the
>dump. I have no clue where it would be, or how to access it. I have the
>windows debug tool installed, and I am able to open the memory.dmp file
>in it. I'm a little confused as how to navigate around to find certain
>things. I tried to look in the help file, but it seems to want certain
>memory locations to be specified when you search memory. I don't know
>the location, but I know the application. Could anyone please point me
>in the right direction? If it helps, what I am searching for is 128
>bits long, so 16 bytes, or 32 hexadecimal characters. I cannot say what
>I am looking for, because this is for a private project I am working on
>at the moment.
>
>To sum things up..
>- dumped memory to .dmp file, opened it in windbg.exe
>- looking for specific string stored in RAM
>- just need help on how to do the search if I already know the
>application
>

The PSTAT utility will give you the memory load addresses for
applications, device drivers, etc. That may help you to cut down on
the portion of the memory dump you need to search through.
Use PSTAT > C:\PSTAT.TXT to save the output as a text file, which may
be more useful.

Also have you tried the FIND utility in Windows XP (run it from a
command prompt. Use FIND /? to see the parameters and options)?

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca
Syberfix Remote Computer Repair

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

Thank you. That was of much help. =)

**TOPIC CLOSED**

Ron Martell wrote:
> "wiretap" <hack.wiretap.RemoveThis@gmail.com> wrote:
>
> >Hi =)
> >
> >I have a 2GB memory dump that I forced manually. I have to find
> >specific information that was within an application at the time of the
> >dump. I have no clue where it would be, or how to access it. I have the
> >windows debug tool installed, and I am able to open the memory.dmp file
> >in it. I'm a little confused as how to navigate around to find certain
> >things. I tried to look in the help file, but it seems to want certain
> >memory locations to be specified when you search memory. I don't know
> >the location, but I know the application. Could anyone please point me
> >in the right direction? If it helps, what I am searching for is 128
> >bits long, so 16 bytes, or 32 hexadecimal characters. I cannot say what
> >I am looking for, because this is for a private project I am working on
> >at the moment.
> >
> >To sum things up..
> >- dumped memory to .dmp file, opened it in windbg.exe
> >- looking for specific string stored in RAM
> >- just need help on how to do the search if I already know the
> >application
> >
>
> The PSTAT utility will give you the memory load addresses for
> applications, device drivers, etc. That may help you to cut down on
> the portion of the memory dump you need to search through.
> Use PSTAT > C:\PSTAT.TXT to save the output as a text file, which may
> be more useful.
>
> Also have you tried the FIND utility in Windows XP (run it from a
> command prompt. Use FIND /? to see the parameters and options)?
>
> Good luck
>
> Ron Martell Duncan B.C. Canada
> --
> Microsoft MVP (1997 - 2006)
> On-Line Help Computer Service
> http://onlinehelp.bc.ca
> Syberfix Remote Computer Repair
>
> "Anyone who thinks that they are too small to make a difference
> has never been in bed with a mosquito."