Solved

Extract data from user.dmp?

Posted on 2003-11-01
9
192 Views
Last Modified: 2010-04-13
I was using a tv capture application called WinTV from Hauppage.
When you press the "capture" button in WinTV, a picture is being saved in Windows memory. After that you can choose to save this file to the harddrive and delete the original from the memory.
I had made some - well, a _lot_ - captures with this application when it suddenly crashed and I hadn't saved these captures to files on the harddrive.
When it crashed this DrWatson thing was run.
I now have a 73 MB user.dmp file in my DrWatson folder. I don't know the size of this file before the crash.
Now my hope is that there is a way to extract these pictures from the user.dmp.
Is there a way?
0
Comment
Question by:CVic
9 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9664929
Not that I am aware of but it would be interesting if someone knew how.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9664933
A lot of programs create at tmp files perhaps you could see it this one did

Look in C:\Documents and Settings\YourProfile\Local Settings\Temp
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 9665558
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 49

Expert Comment

by:sunray_2003
ID: 9665614
try downloading this tool and check


http://www.microsoft.com/whdc/ddk/debugging/default.mspx

S
0
 

Author Comment

by:CVic
ID: 9665864
First of all, when data is stored in system memory and the application that helds the data crash, is really all that data dumped to USER.DMP? Or is only *information* about the crash being appended to the file?

Is 73 MB a normal size of a USER.DMP file? Because there was a lot of picture data in system memory when WinTV crashed, like 100-150 pictures in 640x480 with no compression.

CrazyOne: I've checked for that, but no, there is no such tmp file. :-/

Stoner79: Doesn't look like this program actually can *view* the dump file? It can only check information of recent crashes, right?. But as I said, maybe the data (pictures) that was stored in system memory actually wasn't dumped to the file... If so, there's nothing I can do but give up...

sunray_2003: Same here - I don't think this program actually can view eventually data from the file...?


Before WinTV crashed, my allocating memory was at around 800 000 kb, after it terminated it was at around 500 000 kb (yes, I have a lot of applications/windows open at the moment :-) )
So the data was realased from memory, or it was stored in USER.DMP...

Argh, I really want to get back those unsaved pictures :-( But it seems like they're gone forever...
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9665964
Unfortunately I think they are gone forever. It depends how the system is setup to do memory dump. It looks like yours is setup for a small memory dump based on the size of this file. If it was setup for a large memory dump then the entire contents of the memory would have been dumped and the file would be much larger then 73MB's. I got to think that those captures were more than 73MB's.
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 10091155
PAQed - no points refunded (of 500)

PashaMod
Community Support Moderator
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now