Where did the crash dump come from?
2009 (0x7D9) - The Year of Debugging
This is the basic check and very useful if your customer complains that the fix you sent yesterday doesn’t work. Check the computer name from the dump. It could be the case that your fix wasn’t applied to all computers. Here is a short summary for different dump types:
1. Complete/kernel memory dumps: dS srv!srvcomputername
1: kd> dS srv!srvcomputername
e17c9078 "COMPUTER-NAME"
2. User dumps: !peb and the subsequent search inside the environment variables
0:000> !peb
PEB at 7ffde000
...
...
...
Environment: 0x10000
...
0:000> s-su 0x10000 0x20000
...
...
000123b2 "COMPUTERNAME=COMPUTER-NAME"
...
...
dS command shown above interpret the address as a pointer to UNICODE_STRING structure widely used inside the Windows kernel space
1: kd> dt _UNICODE_STRING
+0x000 Length : Uint2B
+0x002 MaximumLength : Uint2B
+0x004 Buffer : Ptr32 Uint2B
DDK definition:
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING *PUNICODE_STRING;
Let’s dd the name:
1: kd> dd srv!srvcomputername l2
f5e8d1a0 0022001a e17c9078
Such combination of short integers following by an address is usually an indication that you have a UNICODE_STRING structure:
1: kd> du e17c9078
e17c9078 "COMPUTER-NAME "We can double-check it with dt command:
1: kd> dt _UNICODE_STRING f5e8d1a0
"COMPUTER-NAME"
+0x000 Length : 0x1a
+0x002 MaximumLength : 0x22
+0x004 Buffer : 0xe17c9078 "COMPUTER-NAME"
- Dmitry Vostokov -
_1125.png)
New Books:
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Also available:
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
August 4th, 2008 at 9:31 pm
[…] Where did the crash dump come from? […]