@s3curityConsult: I don't think you missed it - pretty sure I never pointed that out. The buffers are pool memory in the kernel, so you need a kernel (2) or complete (1) dump. Kernel is the default up to win8, the win8 default is automatic, which is kernel or complete based on pagefile size. You want the c:\windows\memory.dmp file, not the c:\windows\minidump files.
posted by windev
