Is it possible to inspect the kernel memory? How? #2591

Closed Answered by dmex

Unknown78 asked this question in Questions / Answers

Unknown78
Jun 8, 2025

I've run it as admin. Is there any more steps?

Answered by dmex

It's a minimal process without any user-mode address space, and can't be accessed like other user-mode processes:
https://github.com/user-attachments/assets/71281031-a895-420e-b951-b2d9550255b6

You can find more information in the Windows Internals book:
https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals

Is it possible to inspect the kernel memory?

LiveKD:
https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

Live kernel dump:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/task-manager-live-dump#create-a-live-kernel-memory-dump-of-the-system-using-task-manager

View full answer

Replies: 1 comment 1 reply

dmex
Jun 9, 2025

It's a minimal process without any user-mode address space, and can't be accessed like other user-mode processes:
https://github.com/user-attachments/assets/71281031-a895-420e-b951-b2d9550255b6

You can find more information in the Windows Internals book:
https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals

Is it possible to inspect the kernel memory?

LiveKD:
https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

Live kernel dump:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/task-manager-live-dump#create-a-live-kernel-memory-dump-of-the-system-using-task-manager

1 reply

Unknown78 Jun 9, 2025
Author

@dmex Is it possible to inspect and alter it in real-time?

Answer selected by dmex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment