Skip to content

Windows Filescan plugin stucks on Windows 10 image #1876

New issue
New issue
Open
Open
Windows Filescan plugin stucks on Windows 10 image#1876
@Mikiped00

Description

@Mikiped00
Mikiped00
opened on Sep 14, 2025

Describe the bug
Windows Filescan plugin stucks itself after 30 min scanning of a 8GB RAM dump.

Context
Volatility Version: 2.27.0
Operating System: Ubuntu
Python Version: 3.10.27
Suspected Operating System: Windows 10
Command: windows.filescan

To Reproduce
vol.py -f "/mnt/hgfs/DFIREVIDENCES/dump.dd" -vvvvvv windows.filescan > windows.filescan2.txt

Windows Info image:

Volatility 3 Framework 2.27.0

Variable Value

Kernel Base 0xf8067cc00000
DTB 0x1ae000
Symbols file:///C:/Users/migue/Desktop/DFIR%20Tools/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/D783DA3D8CE8C95843A0BA21F1DC2294-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8067da0a870
Major/Minor 15.26100
MachineType 34404
KeNumberProcessors 4
SystemTime 2025-09-04 22:58:02+00:00
NtSystemRoot C:\WINDOWS
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Tue Jan 17 16:26:44 1995

Expected behavior
Full scan of filescan succesfully completed.

Example output
root@ubuntu:/home/ubuntu/volatility3# .env/bin/python vol.py -f "/mnt/hgfs/DFIREVIDENCES/dump.dd" -vvvvvv windows.filescan > windows.filescan2.txt
INFO volatility3.cli: Volatility plugins path: ['/home/ubuntu/volatility3/volatility3/plugins', '/home/ubuntu/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/ubuntu/volatility3/volatility3/symbols', '/home/ubuntu/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/plugins, /home/ubuntu/volatility3/volatility3/framework/plugins
DEBUG volatility3.plugins.yarascan: Using yara-python module
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/ubuntu/volatility3/volatility3/symbols, /home/ubuntu/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ae000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.FileScan.kernel.layer_name.memory_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.FileScan
DETAIL 4 volatility3.framework: Importing from the following paths: /home/ubuntu/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 8589934591
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.FileScan.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8067cc00000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/D783DA3D8CE8C95843A0BA21F1DC2294-1
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DEBUG volatility3.cli: Successfully constructed windows.filescan.FileScan (2, 0, 0)
DETAIL 3 volatility3.cli.text_filter: Filters:
[]
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 3 volatility3.plugins.windows.handles: Cannot access _OBJECT_HEADER Name at 0xf8067dbc57e0
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 3 volatility3.plugins.windows.handles: Cannot access _OBJECT_HEADER Name at 0xf8067dbc57e8
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 4 volatility3.framework.objects: Void size requested
DETAIL 3 volatility3.framework.symbols.windows.versions: Windows PE version data is not available
DETAIL 3 volatility3.framework.symbols.windows.versions: Windows PE version data is not available
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_SESSION_SPACE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PS_SYSCALL_PROVIDER
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_IOP_FILE_OBJECT_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CHPEV2_PROCESS_INFO
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_NLS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DRIVER_PROXY_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK

Additional information
The tools used for memory dump is winpmem

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions