How to Create ESXi Host Memory Dump.
This artile explains how to capture the entire memory of a VMware ESXi host, how it connects to core dumps, and what tools and methods you can use for both standard and advanced situations.
What Is an ESXi Memory Dump?
A memory dump refers to the complete capture of a system’s memory (RAM) at a specific moment. In ESXi, this is most commonly done via a core dump, which is automatically generated during a system crash (Purple Screen of Death, or PSOD).
This dump includes the ESXi host’s full memory contents, such as:
- Kernel state
- Running processes
- CPU registers
- Loaded modules and stack traces
Core Dump vs Memory Dump: Are They the Same?
Yes, in the context of VMware ESXi, a core dump is the full memory dump captured during a crash. However, the difference lies in the timing:
| Aspect | Core Dump | Live Memory Dump |
|---|---|---|
| Trigger | During crash (PSOD) | While host is running |
| Content | Full memory at crash time | Full or partial live RAM |
| Supported by VMware | Yes | No |
| Tools required | vmkdump, core-dump collector | DMA tools, custom access |
Step-by-Step: How to Dump ESXi Memory via Core Dump
Here’s how to safely capture a full memory dump from an ESXi host by triggering a controlled crash:
Step 1. Enable SSH Access
- Login to ESXi Web UI or DCUI
- Go to Host > Manage > Services and start SSH
- Use PuTTY or terminal:
ssh root@ESXi-IP
Step 2. Prepare the Dump Directory
mkdir /vmfs/volumes/datastore1/memdumpStep 3. Configure Local Core Dump
esxcli system coredump file set -d /vmfs/volumes/datastore1/memdump
esxcli system coredump file enable(Replace with actual datastore name)
Step 4. Trigger a Manual PSOD (Host Crash)
Warning: This will reboot the ESXi host and affect all running VMs if host is not in Maintenance Mode.
vsish -e set /reboot/crashMe/Panic 1Or:
echo 1 > /proc/vmware/crashMeStep 5. Verify the Dump
ls -lh /vmfs/volumes/datastore1/memdumpYou should see files like vmkernel-zdump.1.gz
How to Download and Analyze the Dump
Use WinSCP or Datastore Browser via ssh to export the file for analysis or use WinSCP GUI tool to download.
scp root@ESXi-IP:/vmfs/volumes/datastore1/memdump/vmkernel-zdump.1.gz /forensics/Analysis Tools
- Volatility Framework
- Rekall Memory Forensics
- FTK Imager
Is Live ESXi Memory Dump Possible?
Broadcom does not support live memory dumps on a running ESXi host. However, in advanced lab environments, there are options:
1. PCILeech DMA-Based Tools (Advanced)
- Requires a PCIe DMA device like Screamer M.2 or PCILeech FPGA
- Physically connected to the ESXi host
- Used for direct memory access
- High risk, not suitable for production
2. VMware GSS (Support-Only)
VMware’s Global Support Services can assist in capturing live memory through debug builds or internal tools, but this is not publicly available.
What About Virtual Machines? For individual VM memory dumps, use:
Windows VMs: winpmem
winpmem.exe --output C:\memory.rawLinux VMs: linpmem
./linpmem --output /tmp/memdump.rawAnalyze with Volatility:
volatility -f memory.raw imageinfoBest Practices
- Always migrate VMs in next available healthy esxi host and backup host configuration before attempting a crash dump
- Securely store memory dumps (they may contain sensitive information)
- Work with VMware GSS for supported, stable diagnostic techniques
Conclusion
Capturing memory from an ESXi host is good skill. Core dumps give you a complete snapshot of the host’s RAM during a crash. However, capturing live memory is not officially supported and requires special hardware or Broadcom support.
You can use memory dumps to diagnose crashes, investigate malware, or find hidden threats, but always proceed with caution. Make sure you have the necessary approvals and backups in place.
For VM memory, tools like winpmem and linpmem are reliable and easy to use. For ESXi itself, stick to core dumps or support tools unless you are in a lab.
Frequently Asked Questions (FAQs)
1. What is the purpose of dumping ESXi memory?
Dumping ESXi memory is primarily used for forensic analysis and troubleshooting. It allows investigators and administrators to capture the full memory state of an ESXi host to identify malicious activity, analyze system behavior, or debug kernel-level issues.
2. Is it safe to dump memory from a live ESXi host?
Dumping memory from a live ESXi host is possible, but it should be done with extreme caution. Improper handling or unsupported tools can cause performance degradation or even system crashes. It’s recommended to perform the task during a maintenance window or on test environments first.
3. Can I use WinPMEM or LinPMEM directly on ESXi?
No, WinPMEM and LinPMEM are memory acquisition tools designed for Windows and Linux systems. Since ESXi is based on a custom Linux distribution with a proprietary kernel, these tools are not compatible. You’ll need to use VMware-specific methods such as VMKcore dumps or hardware-based acquisition.
4. What’s the difference between core dump and memory dump on ESXi?
A core dump on ESXi typically captures memory only when a host crashes (Purple Screen of Death) and is used for debugging. A memory dump, on the other hand, is a full capture of system memory taken live for forensic analysis. They serve different purposes and occur under different conditions.
5. Is it possible to automate ESXi memory collection?
Currently, full memory acquisition on live ESXi hosts is not officially supported or easily automated due to ESXi’s security model and architecture. Some third-party forensic tools or hardware-based solutions may offer automation, but they often require deep integration and licensing.
6. Where is the memory dump stored in ESXi?
If you’re using VMKcore or crash dumps, they are typically stored in the /var/core/ directory or on a configured diagnostic partition. Ensure you have enough space and backup configurations before triggering a dump manually or during a crash.
7. Can I analyze an ESXi memory dump with Volatility or Rekall?
Volatility and Rekall do not natively support ESXi memory formats due to the unique kernel architecture. However, with some advanced customization and profile development, partial analysis may be possible. Otherwise, VMware’s internal debugging tools or commercial forensics solutions are preferred.
8. What are the risks of dumping memory on production ESXi hosts?
Risks include host instability, increased load, or even system crashes if unsupported tools or incorrect procedures are used. It’s crucial to validate the method in a lab environment and ensure proper change management and backup policies are in place.
Explore more and Stay updated. Always Document your actions.
