Where did the crash dump come from? (Part 2)
Part 1 focused on using a debugger to extract a computer name from memory dumps. Here is a very simple approach for user dumps using built-in command line tools:
C:\UserDumps>findstr "COMPUTERNAME=" new_0200_2008-04-28_14-11-54-937_0cb0.dmp
Most of the time the last portion of output contains something like this:
..CommonProgramW6432=C:\Program Files\Common Files..COM
PUTERNAME=HOME-PC....ComSpec=C:\W2K3\system32\cmd.exe..
..♀.FP_NO_HOST_CHECK=NO...♂.HOMEDRIVE=C:......HOMEPATH=
\Documents and Settings\User...........................
.LOGONSERVER=\\SERVER..∩...NUMBER_OF_PROCESSORS=1...δ..
;..Φ;..╨α,.~........²²²²COMPUTERNAME=HOME-PC.²²²²
If we don’t see the variable we can redirect the output into a text file and look in it or simply open a dump in any hex editor and search for a UNICODE string.
- Dmitry Vostokov @ DumpAnalysis.org -
January 8th, 2009 at 8:28 pm
There is another trick you can use with FINDSTR to find unicode strings. If you use periods to separate the letters then findstr will find the unicode string.
For example:
findstr C.O.M.P.U.T.E.R.N.A.M.E memory.dmp
Example output will look something like this:
C.o.m.m.o.n.P.r.o.g.r.a.m.F.i.l.e.s.=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.o.m.m.o.n. .F.i.l.e.s…C.O.M.P.U.T.E.R.N.A.M.E.=.H.O.M.E.-.P.C…C.o.m.S.p.e.c.=.C.:.\.W.I.N.N.T.\.s.y.s.t.e.m.3.2.\.c.m.d…e.x.e…N.U.M.B.E.R._.O.F._.P.R.O.C.E.S.S.O.R.S.=.1…O.S.=.W.i.n.d.o.w.s._.N.T.
January 8th, 2009 at 10:18 pm
Cool! Thanks for this tip!