volatility
volatility copied to clipboard
Volatility Plugin "cmdscan" and "Consoles" doesn't work for Windows 10 Memory
Hi, I am analyzing the windows 10 memory dump using "Win10x64_17763" and noticed some of the volatility plugin such as cmdscan, consoles doesn't work for windows 10. Wondering , if there is any other way to extract the commands that was ran on command prompt from windows 10 memory dump.
Thanks in Advance.
wondering if anyone can advise on above issue?
Hi, I am facing the same issue with profiles Win10x64_14393 and Win2016x64_14393 for both modules cmdscan and consoles. The output is empty.
Also I was wondering: in the docs for module cmdscan it says:
The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands...
So would this module even work for Win10 though?
These plugins need updating for Windows 8 and Windows 10. We plan to address this when the related research is completed.
Did anyone address the issue?