Hi,

Does anyone know of a program or can produce code which can dump the
contents of the RAM into a file?

Here is the situation, I am a Helpdesk tech and frequently receive
requests to resurrect files or versions of files where users have
closed them without saving them.  It would be nice say if the info is
still in the RAM somewhere.  I know I could look in the pagefile.sys,
but looking in the contents of the RAM woudl be good too.

Is this a wild goose chase, or could unsaved but now closed info still
hang out in the RAM?  So if all the RAM is written to a file, at least
some text could be recoverable.

I also know about looking for tmp files and asd and wbk files for word
and similar issues.  I also know about look for deleted tmp and doc
files etc if the unsaved file was from Word.  I use Disk Investigator
and PC File Inspector Freeware.

By the way I'm new to this but have the gall to have my own website on
this and similar issues at www.s2services.com.  I have a regular job
now so mostly help people for free.

---

Clarification of Question by socr2-ga on 24 Feb 2004 13:42 PST

I know there is a Microsoft sanctioned registry hack which can give
you an option of causing a blue screen on command with the right Ctl
Key and the Scroll Lock Buttons twice.  However changing the registry
here necessitates a reboot and also the default BSOD is a small dump
so my original title is misleading.  What I really need is to view the
contents of the RAM, in case an unsaved file is hanging out there even
after it is closed if that is possible.

---

Request for Question Clarification by hailstorm-ga on 03 Mar 2004 16:39 PST

socr2,

I have found a kernal-mode driver that I know works with Windows NT
4.0 and Windows 2000 that can be used to force the BSoD that generates
a memory dump.  I will post this as an answer of this information is
acceptable.

---

Request for Question Clarification by hailstorm-ga on 03 Mar 2004 16:46 PST

I have also found an executable that can display live memory dumps,
including internal kernal memory regions.

---

Clarification of Question by socr2-ga on 04 Mar 2004 20:23 PST

Both driver and executable are acceptable along with an explanation on
how to use them.  It is difficult to find executable that will cause
BSofD.  A generalized posting for those who are interested in it for
other reasons, might be worthwhile.  Also if you comment on whether my
theory is a possibility (recently closed documents remaining in the
memory).

Thanks for your efforts.

The only way I know of doing this is by using a debugger. If you want
to get the memory for a specific process this is the easiest way to go
about it. If you want to get at the kernel, you have to use a kernel
debugger, (you can get that from Microsoft).

Thanks much.  I was just looking at some old ones.  I will search
Google specifically using that term.

Programs only store the document in memory if its still open.
As soon as you close it and dont save it then you've lost it.

It could technically be possible but you'd need a undelete tool for
RAM and at least half the file would be corrupt depending on how long
ago it was.

Even half the document would be valuable and one can at least recover
the text from a corrupt document.  Thanks for the info that it is
technically possible.