Original Message:
Sent: Jul 18, 2025 04:37 AM
From: gsharma36
Subject: How to dump esx memory for forensic analysis ?
As per my knowledge, there is no officially supported way to dump the entire esxi host memory live (without a crash) using VMware's native tools, because esxi is a closed source, bare metal hypervisor, and live memory access is restricted for security and stability purposes. However, there are advanced methods that can capture live memory from a running esxi host, but I think they are not officially supported or safe for production and could be risky.
Winpmem is for windows to capture full physical ram from live windows systems.
Linpmem is for linux to capture full physical ram from live Linux systems, they are not used for dumping esxi host memory, they are relevant for virtual machines running windows or linux on top of ESXi when you want to capture their memory without suspending them.
If you want to dump windows vm memory running on esxi, use winpmem.exe inside the vm
Or if you want to dump linux vm memory running on esxi then use linpmem inside the vm.
You can use esxi native tool to dump the memory of an esxi host.
Thanks
------------------------------
Thanks & Regards
Gourav Sharma
Original Message:
Sent: Jul 17, 2025 01:34 PM
From: David Delsouc
Subject: How to dump esx memory for forensic analysis ?
Hi,
Thank you for your answer.
Your article is very good and is a first step. We can dump process memory like hostd or kernel, but I think the security team want to capture the whole memory (like winpmem or linpmem).
I don't find anything about capturing the esx memory (to list all process running on a compromised esxi after the capture per exemple).
Regards, David.
Original Message:
Sent: Jul 17, 2025 03:56 AM
From: Alexandru Capras
Subject: How to dump esx memory for forensic analysis ?
Hi,
I haven't done this myself, but there's usually a KB for just about everything.
Here's one that might help:
https://knowledge.broadcom.com/external/article/340041/generating-live-core-dump-for-esxi-host.html
Original Message:
Sent: Jul 16, 2025 12:08 PM
From: David Delsouc
Subject: How to dump esx memory for forensic analysis ?
Hello,
The security team ask us to find a way to dump ESX memory for forensic analysis while running.
- OK for Virtual Machines memory with snapshot and extracting the vmem file
- OK for Core dump (purple screen) with the diagnostic partition or collector
But is there a way or tool to dump esxi host memory on a running esxi ?
Thanks for your ideas.
Regards, David.