Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues loading VMRS file (Hyper-V checkpoint) #262

Closed
SchlesHammer opened this issue Jan 24, 2024 · 5 comments
Closed

Issues loading VMRS file (Hyper-V checkpoint) #262

SchlesHammer opened this issue Jan 24, 2024 · 5 comments

Comments

@SchlesHammer
Copy link

When attempting to load in VMRS file from Hyper-V (standard) checkpoint, getting the error:
"DEVICE: FAILED: Hyper-V Saved State found - but not possible to open. Result 0x80070002 MemProcFS: Failed to connect to memory acquisition device."
Using the commands: MemProcFS.exe -device [guid].VMRS or MemProcFS.exe -device hvsavedstate://[guid].VMRS have the same results. I have also tried with and without the 'vmsavedstatedumpprovider.dll' file from the Windows SDK in the root of MemProcFS.
@ufrisk
Copy link
Owner

ufrisk commented Jan 24, 2024

The error code is ERROR_FILE_NOT_FOUND.

Are you specifying the whole path the the VMRS file?

Also, make sure you're using the latest Windows SDK. The Windows SDK will have to be at least or greater than the version number of the hyper-v host.

Please let me know if it works better if you use the full path to the file.

@SchlesHammer
Copy link
Author

Thanks for the reply!

Yep, I just double-checked the path. I am using the full path to the VMRS file. After the checkpoint was done, I copied the VMRS file from the hypervisor to our forensic workstation but I am using the full path to the VMRS file on our forensic workstation. That shouldn't affect anything, right?

As for the Windows SDK version, I believe I have the latest installed (Windows SDK 10.0.22621.2428). The Hyper-V host is version 10.0.2348, as is the version of the guest VM which I have the checkpoint. I feel like I am missing something here. Haha.

Thanks in advance!

@ufrisk
Copy link
Owner

ufrisk commented Jan 25, 2024

You can try to add additional command-line options -v -vv to see if you get some more verbose message.

If this is not working I'm afraid I can't do much more without having access to the problematic VMRS file. If you'd be able to share it, it would be nice. But I totally understand if this is not possible.

@SchlesHammer
Copy link
Author

Unfortunately I don't get anything additional with those options included and I can't send the VMRS file in this instance. In the future, I will try to get a test system with this same issue sent to you if I don't sort this out by then. Thanks again for your assistance!

@ufrisk
Copy link
Owner

ufrisk commented Jan 31, 2024

Hi, nothing much to do about this. If you should come across this issue in a system which you're able to share the memory dump from I'd be very interested to take a look.

For now I'm closing this issue since there is no way I can know whether it's a real issue or if its some kind of user error (wrong type of checkpoint, etc). and I cannot replicate this issue.

@ufrisk ufrisk closed this as completed Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ufrisk @SchlesHammer