how to get full memory dump of RAM using c#

Question

How to get Complete Memory Dump using C#.NET?

By "complete memory dump" do you mean all the memory of the current process, all the memory of the processes being run by the current user, all the memory of all processes on the system, or all memory including kernel memory? — Adam Mihalcin, Apr 18 '12 at 06:22
I have tried using the the dbhelp.dll writeminidump function, it is however for mini dumps not the the complete dump. i could not find another writeCompletexxxxx like so. As Adam has asked "complete memory dump" do you mean all the memory of the current process, all the memory of the processes being run by the current user, all the memory of all processes on the system, or all memory including kernel memory?" yes it i need the exact "all the memory of all processes on the system + all memory including kernel memory" — kuhajeyan, Apr 18 '12 at 06:42
It is a completely meaningless operation, RAM only contains *some* of the pages of a process in a completely random order. Constantly changing too at a pretty high rate when programs execute. Nor is there any way for user mode programs to directly access RAM. — Hans Passant, Apr 18 '12 at 09:20

score 3 · Accepted Answer · answered Apr 20 '12 at 12:14

The only safe way to do it is to cause a bluescreen and have Windows get the dump itself. Causing a bluescreen happens through KeBugCheckEx kernel function and you need a custom-built device driver to call it programmatically. Or you can use CrashOnCtrlScroll registry trick and trigger it yourself.

Or you can connect a kernel debugger to the system using two computers and trigger a memory dump using .crash debugger command.

There are methods like LiveKD from SysInternals to do partial kernel inspection on the same computer but they are not "accurate" because memory changes continuously. It's impossible to get a healthy dump using those methods.

Doing all these using C# is, pointless.

score 0 · Answer 2 · answered Apr 18 '12 at 08:41

0

With MiniDumpWriteDump you can get a full process dump by specifying DumpType as MiniDumpWithFullMemory.

You might try to get this for all processes in the system by getting a list of process handles and iterating over that with MiniDumpWriteDump. I do not know if you will have security related issues.

As for getting a kernel memory dump from a user mode process, as far as I know, this should not be possible.

answered Apr 18 '12 at 08:41

msam

4,259
3
19
32

thks i tried above before, but with writting to separate dump i need them all in once. is there an easy way merge all these together in one dump? – kuhajeyan Apr 18 '12 at 09:22
What are you trying to accomplish? – msam Apr 18 '12 at 09:54
i need the exact "all the memory of all processes on the system + all memory including kernel memory" – kuhajeyan Apr 18 '12 at 10:42

how to get full memory dump of RAM using c#

2 Answers2