For education purpose, I am currently researching how memory content can be extracted and analyzed from snapshots and saved states from Hyper-V. Hyper-V saves this information in files with the extensions *.vsv and *.bin. To convert these files to a usable dump full memory dump (*.dmp), the "Hyper-V VM State to Memory Dump Converter" (vm2dmp.exe) was released in January 2010 (http://archive.msdn.microsoft.com/vm2dmp). However, this tool works only on files created with Hyper-V Version 2 (Hyper-V/Windows Server 2008 R2). When snapshots or saved states created on Hyper-V 2012 or 2012 R2 are tried being converted, the tool fails.
It seems that the format of the *.vsv and *.bin files has changed and the converter tool is not capable of processing the changed file format. Does anyone know about any changes from Hyper-V Version 2 to Version 3 or the new file format? I guess the format specification is not public available. However, it would be of enormous help to have the possibility to be able to convert those files created by Hyper-V Version 3 for the purpose of analysing as well.
I understand that it might not be possible to have the format specification of the snapshot files for further research. But as the vm2dmp.exe converter tool already exists for the previous version of Hyper-V, I believe that providing a tool or the information about the snapshot file format is worth a discussion. Provided with this information, it would ideally be possible to extend the existing or implement a new conversion tool to support a broader range of Hyper-V versions. I could imagine that this could also possibly lead to new capabilities in snapshot migration.
I appreciate any replies with ideas and further information.
Thanks,
Christian