Where did the crash dump come from?

This is the basic check and very useful if your customer complains that the fix you sent yesterday doesn’t work. Check the computer name from the dump. It could be the case that your fix wasn’t applied to all computers. Here is a short summary for different dump types:

1. Complete/kernel memory dumps: dS srv!srvcomputername

1: kd> dS srv!srvcomputername
e17c9078 "COMPUTER-NAME"

2. User dumps: !peb and the subsequent search inside the environment variables

0:000> !peb
PEB at 7ffde000
...
...
...
Environment: 0x10000
...
0:000> s-su 0x10000 0x20000
...
...
000123b2 "COMPUTERNAME=COMPUTER-NAME"
...
...

dS command shown above interpret the address as a pointer to UNICODE_STRING structure widely used inside the Windows kernel space

1: kd> dt _UNICODE_STRING
+0x000 Length : Uint2B
+0x002 MaximumLength : Uint2B
+0x004 Buffer : Ptr32 Uint2B

DDK definition:

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING *PUNICODE_STRING;

Let’s dd the name:

1: kd> dd srv!srvcomputername l2
f5e8d1a0 0022001a e17c9078

Such combination of short integers following by an address is usually an indication that you have a UNICODE_STRING structure:

1: kd> du e17c9078
e17c9078 "COMPUTER-NAME   "

We can double-check it with dt command:

1: kd> dt _UNICODE_STRING f5e8d1a0
"COMPUTER-NAME"
+0x000 Length : 0x1a
+0x002 MaximumLength : 0x22
+0x004 Buffer : 0xe17c9078 "COMPUTER-NAME"

- Dmitry Vostokov -

6 Responses to “Where did the crash dump come from?”

  1. Crash Dump Analysis » Blog Archive » WinDbg shortcuts: !envvar Says:

    […] Where did the crash dump come from? […]

  2. Crash Dump Analysis » Blog Archive » Where did the crash dump come from? (Part 2) Says:

    […] (0×7D9) - The Year of DebuggingPart 1 focused on using a debugger to extract a computer name from memory dumps. Here is a very simple […]

  3. Dmitry Vostokov Says:

    Alex Ionescu in his comment advised to use !ustr instead of dt _UNICODE_STRING:

    http://www.softwaregeneralist.com/2009/08/17/reading-notebook-17-august-09/#comments

  4. Dmitry Vostokov Says:

    On x64 we should use dq command instead of dd. Or better use dp command that takes into account platform pointer size

  5. Crash Dump Analysis » Blog Archive » Reflecting on 2008 (Part 1) Says:

    […] crash dump analyzer how to open corrupt memory dump rtlfreeheap+38e how to use windbg dd srvcomputername dmitry vostokov warning: stack unwind information not available. following frames may be wrong. […]

  6. Dmitry Vostokov Says:

    For user process dumps: if !peb doesn’t work load some known ntdll version which has symbols or get _PEB address from !teb or from any _TEB address +0×30 or +0×60 (x64). Use ~ to get _TEB addresses.

Leave a Reply

You must be logged in to post a comment.