Comments on: Where did the crash dump come from? https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 07:26:00 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-767698 Dmitry Vostokov Sun, 26 Sep 2021 20:46:15 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-767698 But it can also be seen in !analyze -v output even in kernel dumps (Windows 10) But it can also be seen in !analyze -v output even in kernel dumps (Windows 10)

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-767697 Dmitry Vostokov Sun, 26 Sep 2021 20:11:01 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-767697 srv!srvcomputername is no longer available in the latest Windows 10 versions: https://www.osr.com/blog/2018/06/22/finding-computer-name-crash-dump-2018-edition/ This can be simplified as: 1: kd> dS mrxsmb!SmbCeContext+10 ffffdb0d`dd910860 "DESKTOP-OGPC0LO" srv!srvcomputername is no longer available in the latest Windows 10 versions:

https://www.osr.com/blog/2018/06/22/finding-computer-name-crash-dump-2018-edition/

This can be simplified as:

1: kd> dS mrxsmb!SmbCeContext+10
ffffdb0d`dd910860 “DESKTOP-OGPC0LO”

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-428236 Dmitry Vostokov Thu, 23 Feb 2012 17:30:33 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-428236 For user process dumps: if !peb doesn't work load some known ntdll version which has symbols or get _PEB address from !teb or from any _TEB address +0x30 or +0x60 (x64). Use ~ to get _TEB addresses. For user process dumps: if !peb doesn’t work load some known ntdll version which has symbols or get _PEB address from !teb or from any _TEB address +0×30 or +0×60 (x64). Use ~ to get _TEB addresses.

]]> By: Crash Dump Analysis » Blog Archive » Reflecting on 2008 (Part 1) https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-159017 Crash Dump Analysis » Blog Archive » Reflecting on 2008 (Part 1) Thu, 17 Jun 2010 14:09:11 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-159017 [...] crash dump analyzer how to open corrupt memory dump rtlfreeheap+38e how to use windbg dd srvcomputername dmitry vostokov warning: stack unwind information not available. following frames may be wrong. [...] […] crash dump analyzer how to open corrupt memory dump rtlfreeheap+38e how to use windbg dd srvcomputername dmitry vostokov warning: stack unwind information not available. following frames may be wrong. […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-133141 Dmitry Vostokov Thu, 11 Mar 2010 11:15:54 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-133141 On x64 we should use dq command instead of dd. Or better use dp command that takes into account platform pointer size On x64 we should use dq command instead of dd. Or better use dp command that takes into account platform pointer size

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-89696 Dmitry Vostokov Wed, 19 Aug 2009 23:05:14 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-89696 Alex Ionescu in his comment advised to use !ustr instead of dt _UNICODE_STRING: http://www.softwaregeneralist.com/2009/08/17/reading-notebook-17-august-09/#comments Alex Ionescu in his comment advised to use !ustr instead of dt _UNICODE_STRING:

http://www.softwaregeneralist.com/2009/08/17/reading-notebook-17-august-09/#comments

]]> By: Crash Dump Analysis » Blog Archive » Where did the crash dump come from? (Part 2) https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-61835 Crash Dump Analysis » Blog Archive » Where did the crash dump come from? (Part 2) Thu, 08 Jan 2009 15:34:32 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-61835 [...] (0x7D9) - The Year of DebuggingPart 1 focused on using a debugger to extract a computer name from memory dumps. Here is a very simple [...] […] (0×7D9) - The Year of DebuggingPart 1 focused on using a debugger to extract a computer name from memory dumps. Here is a very simple […]

]]> By: Crash Dump Analysis » Blog Archive » WinDbg shortcuts: !envvar https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-36878 Crash Dump Analysis » Blog Archive » WinDbg shortcuts: !envvar Mon, 04 Aug 2008 21:31:23 +0000 https://www.dumpanalysis.org/blog/index.php/2007/05/22/where-did-the-crash-dump-come-from/#comment-36878 [...] Where did the crash dump come from? [...] […] Where did the crash dump come from? […]

]]>