Netscan return PID -1 for Established/Close_Wait/Close connections • WinServer2008R2SP1x64

[sahar55]

Hello, just as the title says, i am using netscan on a memory dump i did, and all of the established/close_wait and some of the closed connections are returning PID -1, i've tried different profiles and that doesn't seem to help. any suggestion? (vol 2.6)

[iMHLv2]

Hello...was Win2008R2SP1x64_23418 among the different profiles you tried?

[dougkite]

Having the same issue with a Win7 memory image. I have tried the following profiles all with the same result: Win7SP1x86_23418 Win7SP1x86
Win7SP0x86

PC captured is Windows 7 sp1 (32bit) with updates. Memory image captured with dumpit (showed Windows version 6.1.7601) Volatility 2.6, git clone today Python 2.7.13 on Kali Linux kali 4.9.0-kali3-amd64 #1 SMP Debian 4.9.18-1kali1 (2017-04-04) x86_64 GNU/Linux

Is there any way to get other info from the offset shown by netscan (as a workaround)?

[pendragon41]

Having the same issue with Win7x86 memory image.

[ruben03]

Did you found a solution for this issue?

[sahar55]

Sadly, no.

[macmento]

Having the literally the same problem. It would be fantastic to find a solution to this.

[r0cksec]

Can we please get a solution for this?

[toshiro92]

Same issue on my side. I found a workaround with yarascan which didn't work for me:

https://soji256.medium.com/how-to-search-for-unknown-process-id-in-volatilitys-netscan-39e16fcdaa9a

The image is based on Win2008 OS, and I have both used Volatility 2.6 and 3.1 with the netscan module, with the same result. I have used the following profiles in 2.6 (determined by imageinfo): Win2008SP2x64 VistaSP2x64 VistaSP1x64 Win2008SP1x64