3

How to get Complete Memory Dump using C#.NET?

Improve this question
3
  • By "complete memory dump" do you mean all the memory of the current process, all the memory of the processes being run by the current user, all the memory of all processes on the system, or all memory including kernel memory? Commented Apr 18, 2012 at 6:22
  • I have tried using the the dbhelp.dll writeminidump function, it is however for mini dumps not the the complete dump. i could not find another writeCompletexxxxx like so. As Adam has asked "complete memory dump" do you mean all the memory of the current process, all the memory of the processes being run by the current user, all the memory of all processes on the system, or all memory including kernel memory?" yes it i need the exact "all the memory of all processes on the system + all memory including kernel memory" Commented Apr 18, 2012 at 6:42
  • It is a completely meaningless operation, RAM only contains some of the pages of a process in a completely random order. Constantly changing too at a pretty high rate when programs execute. Nor is there any way for user mode programs to directly access RAM. Commented Apr 18, 2012 at 9:20

2 Answers 2

Reset to default
3

The only safe way to do it is to cause a bluescreen and have Windows get the dump itself. Causing a bluescreen happens through KeBugCheckEx kernel function and you need a custom-built device driver to call it programmatically. Or you can use CrashOnCtrlScroll registry trick and trigger it yourself.

Or you can connect a kernel debugger to the system using two computers and trigger a memory dump using .crash debugger command.

There are methods like LiveKD from SysInternals to do partial kernel inspection on the same computer but they are not "accurate" because memory changes continuously. It's impossible to get a healthy dump using those methods.

Doing all these using C# is, pointless.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

With MiniDumpWriteDump you can get a full process dump by specifying DumpType as MiniDumpWithFullMemory.

You might try to get this for all processes in the system by getting a list of process handles and iterating over that with MiniDumpWriteDump. I do not know if you will have security related issues.

As for getting a kernel memory dump from a user mode process, as far as I know, this should not be possible.

Improve this answer

3 Comments

thks i tried above before, but with writting to separate dump i need them all in once. is there an easy way merge all these together in one dump?
What are you trying to accomplish?
i need the exact "all the memory of all processes on the system + all memory including kernel memory"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.