RE: Flushing DLLs follow-up

From: DE VILLIERS IAN (ian.devilliers@bmw.co.za)
Date: 10/24/01 

Message-ID: <4A8E2E6FBFC0D511B0590008C7336EA00E3D77@zaexc8.w9>
From: DE VILLIERS IAN <ian.devilliers@bmw.co.za>
To: "'fh@rcs.urz.tu-dresden.de'" <fh@rcs.urz.tu-dresden.de>
Subject: RE: Flushing DLLs follow-up
Date: Wed, 24 Oct 2001 09:13:14 +0200

The easiest way to do this is normally by using the Kill utility on the
Resource kit and killing the Winlogon service. This requires administrative
rights though.

Alternatively, the last time I did this, I used a bug in NT/Win2K posted on
Bugtraq (My apologies - I have forgotten who posted the article but I assume
you can check it in the archives) for which there arent fixes available yet
(to my knowledge). This involves opening a DOS box, entering a command and
after entering the command, pressing F7 (to display the history) and enter
in quick succession. This causes a memory dump no matter which user account
is logged on.

Hope this helps.

Regards,

Ian de Villiers

-----Original Message-----
From: Frank Heyne [mailto:fh@rcs.urz.tu-dresden.de]
Sent: 24 October 2001 08:56
To: DE VILLIERS IAN; 'forensics@securityfocus.com';
'focus-ms@securityfocus.com'
Subject: RE: Flushing DLLs follow-up

On 24 Oct 01, at 8:21, DE VILLIERS IAN wrote:

> I used a reasonably effective although probably unorthodox way of dumping
> the memory to disk - check that your crash recovery options dump the
> complete RAM to disk and cause a blue screen.

How do you cause a blue screen on a fully patched system? Is it possible
when you are logged on as a normal user or do you need to run under admin
account to do this?

Greetings

Frank Heyne