EDR: Live Response - Error Getting Memdump: Remote Error HRESULT 0x8000ffff
search cancel

EDR: Live Response - Error Getting Memdump: Remote Error HRESULT 0x8000ffff

book

Article ID: 287240

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Error message seen when trying to create a memory dump through live response: 
Error getting memdump: Remote error HRESULT 0x8000ffff

Environment

  • EDR Server: 5.1.1 and Higher

Cause

If the folder is non-existent, or a file name is not being specified, the memory dump will not create.

Resolution

Specify the folder path and name of the file when running the memdump command.

Additional Information

  • When memdump command run in a directory that is known to exist on the endpoint, there will be a spinning icon acknowledging that the server has made the call and is waiting for the memory dump to be sent up. Once it is complete, the Live Response page will give a pop-up to download and save the file locally.
  • Live Response can be used to create a folder in a specific directory, using the "mkdir" command.
  • Memdumps cannot be created directly to a remote IP - they must be created locally on the endpoint with Live Response.
Powered by Wolken Software