Trying to crash a VM to get a kernel dump of a Windows 2003 Ent SP2 VM. I have the registry key set for CrashOnCtrlScroll. The RCTRL-SCRL-SCRL does not work. Anyone now how I can do this without using the sysinternal 'NotMyFault' program?
Thanks
DK
Hello,
Another way is outlined in http://www.itworld.com/security/54258/more-thoughts-forensics
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Not much help I grant you but I have got this working in the past myself.
Jon
Thanks for the responses. I tried to use the settings in the MS article but it still does not work via console session or RDP. It's as if the VM does not recognize the key strokes R-Ctrl+Scrl_Scrl. The utilities work great. However, if the VM is hung or not responding due to 100% utilization of the vCPU then it becomes a challenge to run any program.
Texiwill's resource could be useful for forensics analysis but not sure if could help with analyzing a windows memory kernel dump. Haven't tried it but I Iike the article because I wasn't aware you could kill a VM that way. Good resource.
Thanks,
DK
I just did a quick test and it does work for me when using a console connection from the VI Client. The environment specifics:
VI Client 2.5.0 build 119598 (update 3), VI client running on Vista SP1 64 bit
VM running on ESX3 build 123630 (update 3)
VM running W2K3 32-bit w/SP2 and all current patches as of today (and NOT the MS hotfix previously referenced), VI tools 3.5 build 110268, 2 CPUs, 256MB memory
It does not work under RDP, and there is a note in the MS article that says in order for it to work the keyboard IO must go through the i8042prt.sys or the Kbdhid.sys drivers which I suspect is not the case for an RDP session,,
We are not on U3 yet in prod but we can test it in our lab environment. I will see if it works there after we go to U3 and post results.
Thanks,
DK
Mystery solved...I am using a dell laptop that had the Scroll Lock key mapped as the "Fn" key instead in the BIOS. An indication that the Scroll Lock key is not working correctly is to check the light on the keyboard to see if it lights up when pressed.
Changing that solved my issue.
Thanks All for your input.