Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Got a BSOD. Had about 40 unsaved Notepad files.

10 Apr 2020   #1
ElielC

Windows 7 Ultimate x64
 
 
Got a BSOD. Had about 40 unsaved Notepad files.

Hello there,

My computer was running since about 80 days and i had about 40 unsaved Notepad text files.
Got a BSOD without doing anything.
Yesterday when i've come back to use the PC, i saw the BSOD.

Now i really need to backup those unsaved Notepad files.
I know that Windows 7 does not save them in a temporary folder and they are actually stored only in the ram which is volatile.

I found that it is possible to dump the memory with a "Cold Boot Attack" to a USB flash drive.

Cold Boot Attack Tools for Linux | Linux Journal

I tried to compile x64 version of the program (I have 8GB of memory) without success.
My knowledge in this domain is close to 0.
Can i ask a favor from someone with compiling knowledge and give me a compiled x64 scraper.bin so i can try to dump my memory with this method ?

My PC is still running and under power showing me the blue screen.
I did not touch him since the blue screen.
I also want to mention that my PC was never connected to the net, i only use it for writing Memo on Notepad files.

I do agree that not saving so much files is very stupid, but my PC was super stable and sometimes are running for over 6 months without a reboot.
I did not know that he can BSOD without doing anything like that.

Thanks you for the help.
My System SpecsSystem Spec
.
10 Apr 2020   #2
wither 2

Windows 7 Pro SP1 64 bit
 
 

Would you post the BSOD information per this-

Blue Screen of Death (BSOD) Posting Instructions
My System SpecsSystem Spec
11 Apr 2020   #3
ElielC

Windows 7 Ultimate x64
 
 

Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.
My System SpecsSystem Spec
.

11 Apr 2020   #4
wither 2

Windows 7 Pro SP1 64 bit
 
 

My apologies but what you want to do is beyond my capabilities to answer. I've asked someone else if they can help.
My System SpecsSystem Spec
12 Apr 2020   #5
ElielC

Windows 7 Ultimate x64
 
 

Thanks you wither 2.

I forget the link of the utility.
Here it is.

GitHub - DonnchaC/coldboot-attacks: Archive of the original "cold boot" attack tools from CITP at Princeton. The original links are broken.

I need the 64 bits version which is the BIOS_memimage 2.1 file.

To compile the 64 bits version, the command are make -f Makefile.64

Instructions can be found in the archive in the docs folder.
My System SpecsSystem Spec
12 Apr 2020   #6
iko22

Windows 7 x64, Vista x64, 8.1 smartphone
 
 

Quote   Quote: Originally Posted by ElielC View Post
Hello,

Don't need assistance about the BSOD itself.
I don't care about it.
What i'm trying to do is to make a full dump of the memory in hope that the unsaved Notepad files are still somewhere in the memory even after the BSOD.

I need a compiled x64 version of the bios_memimage utility which should result in a scraper.bin file which i will put on a USB drive.
Then i will reset the PC and boot from the USB drive which should capture a complete dump of the memory before the memory get a chance to vanish.

In hope that i can get back all my unsaved Notepad files.

Thanks you.
The files you request depend on Compilation from GNU GCC compiler. I do not have this compiler on any of my machines. Sorry.

I think the code project in question depends on "Persistent Memory"; something which has only been exploited in Windows Server 2019 and Windows 10. From a Windows 10 computer, you can type something into WordPad, Restart the Computer, and the WordPad text will still be there on the desktop. You cannot do that in Windows 7.

Microsoft Office and LibreOffice, and many other applications, also have feature to backup your edited document, in case of Power Failure. This backup facility does not exist in NotePad or WordPad.
My System SpecsSystem Spec
12 Apr 2020   #7
ElielC

Windows 7 Ultimate x64
 
 

No you are wrong.

This exploit have been published by Princeton University in 2008

Here is the original link Lest We Remember: Cold Boot Attacks on Encryption Keys | Center for Information Technology Policy

This has nothing to do with the version of the operating system.

The current version of Windows 10 create a backup even on Notepad.
My System SpecsSystem Spec
.
12 Apr 2020   #8
iko22

Windows 7 x64, Vista x64, 8.1 smartphone
 
 

Well I'd like to give it a go and see if it works. Still I do not have GCC compiler on any of my machines. The file you request, depends on the GNU GCC compiler being available.

What is the state of the problem machine? Is it still switched on? If it has been switched off, then the RAM would have lost all data.

If your computer is still switched on continuously since the BSOD then I'd be prepared to install GCC compiler to prepare the file for you. You'd still need to load the file to a suitable USB flash memory stick, at your side.
My System SpecsSystem Spec
12 Apr 2020   #9
ElielC

Windows 7 Ultimate x64
 
 

Yes of course.
The PC is still running and is showing the blue screen.
I didn't touch him since the crash.

I will have to create the USB drive after that yes.

Since i do not have how to test the utility, it will be huge help if you can test it on your side before uploading it. (just check that the utility load up correctly and not giving any error)
I do have another PC but i can't test it since it is under UEFI and UEFI require another version of the utility.

I will only have 1 chance to try it.
If the utility does not boot or load correctly, im screwed.

Thanks you for trying to help !
My System SpecsSystem Spec
12 Apr 2020   #10
Alejandro85

Windows 7 Ultimate x64
 
 

First of all, if the data in question is so important to you to even seriously consider a cold boot attack on your own computer, I would consider hiring an expert in the field to do the trick for you. Not only he'll be in a better position to freeze the RAM, reboot and dump the data, but also in scrubbing the resulting thins into a useful piece of data.

Another possible way of rescuing the notepads is by scrubbing the page file, if you happen to have one. Since at the time of the BSOD the machine was idle, there is a goog chance of Windows paging notepad out of physical memory, in which case the page file will contain your data. Assuming it's not encrypted and not overwritten by the BSOD debug info, you might be able to find it there, as long as you don't boot Windows again before taking a copy.
Not that scrubbing a page file is easier that scrubbing a memory dump, but it's a lot more persistent than RAM. Consider this way if a cold boot attack fails or you can't reveal anything useful from it.

Other than that, I also am at a loss at the practical implications of such techniques, other than understanding the theory.
My System SpecsSystem Spec
Reply

Thread Tools




Similar help and support threads
Thread Forum
disassociate Notepad from the .gex files.
I would like to disassociate Notepad from the .gex files. Could you please post the restore information for a .gex file.
Software
Problem after permanent hibernations, unsaved files
Hi there guys! I have a problem after using hibernation to "turn off" my desktop PC. It's a simple way to continue working on my projects after resuming, so I used to hibernate the machine for about month and a half... or even two months. But one day, after resuming, the PC started acting not...
General Discussion
Accidently set Notepad to open btn files
I was trying to open this btn file and windows told me it does not recognized the file oh chose to try a program from a list. i chose notepad but i forgot to uncheck "always use the selected program to open this type of file". how do I undo that?
General Discussion
.reg files open Notepad - do not change registry to read older files
Running Win7Pro 64-bit. Am unable to open older Office 97 files with Office2003 which is installed and running fine. I found a couple of files here and elsewhere with .reg extensions that were supposed to make the necessary registry changes. eg. "UnlockWord.reg" and a more elaborate-looking...
Microsoft Office
files open up to notepad
i need help trying to fix my exe files back and allowing my programs to run again
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:36.
Twitter Facebook