#Process Dumping with Strings2

3 messages · Page 1 of 1 (latest)

hexed sky May 7, 2024, 10:54 PM

When something weird happens, try running the same code in a fresh session.
Sometimes you can run into bugs, like changing a variable from $stuff to $stuff2
If code accidentally references $stuff , you might not get an error because it's not null.

that all of a sudden pcasvc doesnt dump anymore correctly,
If you run it in a new one, are you getting errors?

## A couple of notes:

Some processes and services are not enumerable if you're not admin
Check for $errors. Sometimes they don't print all the info

> $error | fl *  -Force

One thing that stood out is this line

$explorerPID = (Get-Process explorer).Id

It can return $null, a one number or an array of numbers

How slow is it? one potential issue is the loop

$getPids = ...
foreach ($entry in $processList.GetEnumerator()) { 
      $pidValue = $entry.Value
}

By the time you reach a process in the for loop, that specific Pid might not be running anymore

oh wait I missed the obvious
You're creating a new file every loop, truncating the previous results.

You can use Add-Content or Out-File -Append instead.

Note: Out-File applies formatting.
Add-Content will print raw strings, bypassing formatting so I default to Set-Content and Add-Content

foreach($x in 0..10) { 
    & "C:\temp\dump\strings2.exe" -a -pid $pidVal 
        | Add-Content -FilePath "$dumpPath\$processName.txt" -Encoding UTF8
}