volatility icon indicating copy to clipboard operation
volatility copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Volatility Plugin "cmdscan" and "Consoles" doesn't work for Windows 10 Memory

Open lapchapkok opened this issue 4 years ago • 4 comments

Hi, I am analyzing the windows 10 memory dump using "Win10x64_17763" and noticed some of the volatility plugin such as cmdscan, consoles doesn't work for windows 10. Wondering , if there is any other way to extract the commands that was ran on command prompt from windows 10 memory dump.

Thanks in Advance.

lapchapkok avatar May 27 '20 04:05 lapchapkok

wondering if anyone can advise on above issue?

lapchapkok avatar Jun 01 '20 01:06 lapchapkok

Hi, I am facing the same issue with profiles Win10x64_14393 and Win2016x64_14393 for both modules cmdscan and consoles. The output is empty.

Also I was wondering: in the docs for module cmdscan it says:

The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands...

So would this module even work for Win10 though?

stefanw138 avatar Jun 14 '20 11:06 stefanw138

These plugins need updating for Windows 8 and Windows 10. We plan to address this when the related research is completed.

atcuno avatar Jul 08 '20 16:07 atcuno

Did anyone address the issue?

frankwxu avatar Sep 20 '20 02:09 frankwxu