Creating a memory dump

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can create a memory dump for the computer on which Kaspersky Endpoint Agent is installed.

Before creating the memory dump, we recommend terminating processes of critical applications. After creating the memory dump, we recommend restarting the computer for which the memory dump was created.

To create a memory dump using the Kaspersky Endpoint Agent command line interface:

On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
Using the cd command, navigate to the folder where the Agent.exe file is located.
For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.
Enter the command:
agent.exe --memory-dump --path=<path to local or network folder where you want to save the memory dump> [--user=<user name> --pwd=<password>].

The user name and password are required if a folder for storing the memory dump is password protected.

Be sure that write access is granted for the folder where the memory dump will be stored. Otherwise, dump file will not be created.

Press ENTER.

In the specified folder, Kaspersky Endpoint Agent creates a memory dump with the name MemoryDump_<host name>_<date and time when the file began to be written>.dmp.

Command parameters for creating a memory dump

Parameter	Description
`--path`	Required parameter. This parameter passes the full path to the local or network folder where the application will store the memory dump. The name of a network folder must be in UNC format.
`--user`	This parameter passes the user name for accessing the folder specified by the `--path` parameter. If this parameter is missing, the SYSTEM account must have access to the folder.
`--pwd`	This parameter passes the password for accessing the folder specified by the `--path` parameter. If this parameter is missing, the SYSTEM account must have access to the folder.

Parameter

Description

--path

Required parameter. This parameter passes the full path to the local or network folder where the application will store the memory dump.

The name of a network folder must be in UNC format.

--user

This parameter passes the user name for accessing the folder specified by the --path parameter.

If this parameter is missing, the SYSTEM account must have access to the folder.

--pwd

This parameter passes the password for accessing the folder specified by the --path parameter.

If this parameter is missing, the SYSTEM account must have access to the folder.

Return codes of the --memory-dump command:

-1 – command is not supported.
0 – command successfully executed.
1 – required argument is not passed to the command.
2 – general error.
4 – syntax error.

Kaspersky Endpoint Agent does not encrypt or compress the memory dump file. If necessary, you can use third-party tools to encrypt and compress of the folder where the memory dump is stored.

The SMB 3 (or higher) protocol must be configured in order for Kaspersky Endpoint Agent to save the memory dump file to the folder in encrypted form.

Page top