1

What would be the simplest and most portable way (in the sense of only having to copy a few files to the target machine, like procdump is) to generate a kernel dump that has handle information?

procdump has the -mk option which generates a limited dump file pertaining to the specified process. It is reported in WinDbg as: Mini Kernel Dump File: Only registers and stack trace are available. Most of the commands I try (!handle, !process 0 0) fail to read the data.

Seems that officially, windbg and kd would generate dumps (which would require kernel debugging).

A weird solution I found is using livekd with -ml: Generate live dump using native support (Windows 8.1 and above only).. livekd still looks for kd.exe, but does not use it :) so I can trick it with an empty file, and does not require kernel debugging. Any idea how that works?

vuplea
  • 13
  • 2
  • That livekd thing is probably a bug: since it will use `kd` usually, it probably checks the presence at startup, even if not needed when using `-ml`. – Thomas Weller Apr 24 '20 at 18:28
  • As snoone answered it uses undocumented Api [here is a link to some bin andsrc](https://crashdmp.wordpress.com/2014/08/04/livedump-1-0-is-available) – blabb Apr 24 '20 at 21:13

1 Answers1

2

LiveKD uses the undocumented NtSystemDebugControl API to capture the memory dump. While you can easily find information about that API online the easiest thing to do is just use LiveKD.

snoone
  • 5,409
  • 18
  • 19