Creating a disk dump

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can create a dump of a physical or logical disk of the computer on which Kaspersky Endpoint Agent is installed.

To create a disk dump using the Kaspersky Endpoint Agent command line interface:

1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
2. Using the cd command, navigate to the folder where the Agent.exe file is located.

   For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

   Enter the command:

   agent.exe --disk-image --volume=<disk name> [--format=<file format, RAW or EWF>] [--max-size=<size in bytes>] [--segment-size=<size in bytes>] --path=<path to a local or network folder where you want to save the disk dump> [--user=<user name> --pwd=<password>]

   The user name and password are required if the folder for storing the disk dump is password protected.

   Be sure that write access is granted for the folder where the disk dump will be stored. Otherwise, dump file will not be created.

3. Press ENTER.

   In the specified folder, Kaspersky Endpoint Agent creates a disk dump file with a name in the format <disk name>_<date and time when the file started to be written>.<extension>.

   The disk dump file extension may be the following:

   • If the RAW format was specified in the command to create the disk dump (--format=RAW):
     • if the disk dump is not split (the --segment-size parameter is omitted), then the disk dump file has the raw extension;
     • If the disk dump is split (the --segment-size parameter is specified), then the parts of the dump have the extensions 001, 002, 003, etc. up to 999.
   • If the EWF format was specified in the command to create the disk dump (--format=EWF):
     • If the disk dump is not split (the --segment-size parameter is omitted), then the disk dump file has the extension E01;
     • If the disk dump is split (the --segment-size parameter is specified), then the parts of the dump have the extension E01, E02, ..., E99; EAA, EAB, ..., EAZ; FAA, FAB, ..., FZZ, <...>; ZAA, ZAB, ..., ZZZ.

   Command parameters for creating a disk dump

   Parameter	Description
   --volume	Required parameter. This parameter passes the number of a physical disk or the name of a logical disk, where the dump will be created. The format for the physical disk number is: \??\PHYSICALDRIVEN or PHYSICALDRIVEN, where N is the disk number. For example: \??\PHYSICALDRIVE0, PHYSICALDRIVE1. Format of the name of the logical disk: N:, where N is the letter designation of the logical disk. For example, С:. If you create a dump file for a logical disk used to boot the operating system, use the %SystemDrive% variable as the disk name.
   --format	This parameter passes the format for the file with the disk dump. Possible values: RAW or EWF. If the parameter is omitted, the application creates a disk dump in the RAW format.
   --max-size	This parameter passes the maximum allowed size of the disk dump in bytes. If this parameter is omitted, the application creates a disk dump with a maximum size of 1,099,511,627,776 bytes.
   --segment-size	This parameter passes the maximum size of part of the disk dump in bytes. Additionally, the minimum size of part of the dump must be larger than 33,554,432 bytes. If the parameter is specified, the application splits the disk dump into parts of the specified size and adds them to an archive. The size of the archived dump parts is less than the value specified using the parameter. If the parameter is omitted, the application does not split the disk dump into parts.
   --path	Required parameter. This parameter passes the full path to the local or network folder where the application stores the disk dump. The name of a network folder must be in UNC format.
   --user	This parameter passes the user name for accessing the folder specified by the --path parameter. If the parameter is omitted, the SYSTEM access must have access to the folder where the disk dump will be stored.
   --pwd	This parameter passes the password for accessing the folder specified by the --path parameter. If the parameter is omitted, the SYSTEM access must have access to the folder where the disk dump will be stored.

Return codes of the --memory-dump command:

• -1 – command is not supported.
• 0 – command successfully executed.
• 1 – required argument is not passed to the command.
• 2 – general error.
• 4 – syntax error.

Kaspersky Endpoint Agent does not encrypt or compress the memory dump file. If necessary, you can use third-party tools to encrypt and compress of the folder where the memory dump is stored.

The SMB 3 (or higher) protocol must be configured in order for Kaspersky Endpoint Agent to save the memory dump file to the folder in encrypted form.

Page top