Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

* Add files via upload

* Delete pci.c

* Delete pci.h

* Delete pte_mmap_windows.c

* Delete pte_mmap_windows.h

* Delete betatest.txt

* Rename CHANGELOG.txt to

* version 3.0.1, sorry for screwing tabs & spaces

* Sorry for screwing the tabs and spaces. Common consent seem to be spaces nowadays, so everything is spaces now. All files end with a line end. 
* Important fixing of several logical checks (some of them leading to a sort of overprotection that disabled methods in Winpmem for no reason). More safeguarding against obvious input mistakes (such as handing over 0 addresses) when using ioctl codes programmatically. This was done after it happened to myself a few times when testing. 
* More sanity checking when trying to restore the rogue pte page. 
* This is almost a total rewrite. My former idea to increase version number to just 2.0.2 is ridiculous. It's 3.0.1 now, and considered an early **alpha** version that might still have bugs. Make no mistake, stability and reliability was significantly increased over the old version.

* update changelog

* update version info

* update version info

* Fix spelling

* bugfixes and large pages for reverse query

* important bugfixes
* large page support added in PTE parsing for reverse query.

* more updates

* minor spelling

* remove duplicate variant2

* Linux x64 Linpmem version, initial

Early version, really please report errors or feature enhancements.

* minor updates

* update and

* correct old readme

* Update

* Minor docs update

* secure boot / signing driver

* Update

* Delete LinPmem directory

Delete Linpmem because it was moved to its own repo (

* Add Linpmem hint.

Add the Linux version hint.

Git stats


Failed to load latest commit information.
Latest commit message
Commit time
October 12, 2020 11:03
September 11, 2023 00:13
September 11, 2023 00:13
September 11, 2023 00:13
September 11, 2023 00:13
September 11, 2023 00:13

The WinPmem memory acquisition driver and userspace.

alt text

WinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository.

This is the Windows version. The Linux version, Linpmem, is at:

This code was originally developed within Google but was released under the Apache License.


WinPmem is a physical memory acquisition tool with the following features:

  • Open source

  • Support for Win7 - Win 10, x86 + x64. The WDK7600 might be used to include WinXP support. As default, the provided WinPmem executables will be compiled with WDK10, supporting Win7 - Win10, and featuring more modern code.

  • Three independent reading methods, with two methods to create a complete memory dump. One method should always work even when faced with kernel mode rootkits.

  • Raw memory dump image support.

  • A read device interface is used instead of writing the image from the kernel like some other imagers. This allows us to have complex userspace imager (e.g. copy across network, hash etc), as well as run analysis on the live system (e.g. can be run directly on the device).

The files in this directory (Including the WinPmem sources and signed binaries), are available under the following license: Apache License, Version 2.0

How to use

There are two WinPmem executables: winpmem_mini_x86.exe and winpmem_mini_x64.exe. Both versions contain both drivers (32 and 64 bit versions).

The mini in the binary name refers to this imager being a plain simple imager - it can only produce images in RAW format. In the past we release a WinPmem imager based on AFF4 but that one is yet to be updated to the new driver. Please let us know if you need the AFF4 based imager.

The Python acquisition tool

The python program is currently under construction but works as a demonstration for how one can use the imager from Python.

winpmem_mini_x64.exe (standalone executable)

This program is easiest to use for incident response since it requires no other dependencies than the executable itself. The program will load the correct driver (32 bit or 64 bit) automatically and is self-contained.


winpmem_mini_x64.exe physmem.raw

Writes a raw image to physmem.raw using the default method of acquisition.


Invokes the usage print / short manual.

To acquire a raw image using specifically the MmMapIoSpace method:

winpmem.exe -1 myimage.raw

The driver will be automatically unloaded after the image is acquired!

Experimental write support

The WinPmem source code supports writing to memory as well as reading. This capability is a great learning tool since many rootkit hiding techniques can be emulated by writing to memory directly.

This functionality should be used with extreme caution!

NOTE: Since this is a rather dangerous capability, the signed binary drivers have write support disabled. You can rebuild the drivers to produce test signed binaries if you want to use this feature. The unsigned binaries (really self signed with a test certificate) can not load on a regular system due to them being test self signed, but you can allow the unsigned drivers to be loaded on a test system by issuing (see

Bcdedit.exe -set TESTSIGNING ON

and reboot. You will see a small "Test Mode" text on the desktop to remind you that this machine is configured for test signed drivers.

Additionally, Write support must also be enabled at load time:

winpmem.exe -w -l

This will load the drivers and turn on write support.


Winpmem, as well as Linpmem, would not exist without the work of our predecessors of the (now retired) REKALL project:

This project would also not be possible without support from the wider DFIR community:

  • We would like to thank Emre Tinaztepe and Mehmet GÖKSU at Binalyze.

Our open source contributors:

  • Viviane Zwanger
  • Mike Cohen