Identify the host from a Windows user mode dump file

Question

Is there an easy way of finding out the host name of a machine that generated a user mode dump file via WinDbg?

Or at least any piece of identifying information to try and confirm that two dump files came from the same system.

Answer 1

You can do so by analyzing the user dump file with WinDbg. Run the !peb command and look for the value of COMPUTERNAME in its output.

Answer 2

From debugger.chm:

Finding the Computer Name in a Kernel-Mode Dump File

If you need to determine the name of the computer on which the crash dump was made, you can use the !peb extension and look for the value of COMPUTERNAME it its output.

Or you can use the following command:

0: kd> x srv!SrvComputerName
be8ce2e8  srv!SrvComputerName  = _UNICODE_STRING "AIGM-MYCOMP-PUB01"

Finding the IP Address in a Kernel-Mode Dump File

To determine the IP address of the computer on which the crash dump was made, find a thread stack that shows some send/receive network activity. Open one of the send packets or receive packets. The IP address will be visible in that packet.

EDIT: I will note that depending on how the dump file was created, the PEB information may not be available and so you won't always be able to find the computer name. Particularly if something came through the Microsoft Winqual site, it has been sanitized.

Using the shortcut for environment variables in the PEB: !envvar COMPUTERNAME

Answer 3

For IP Address list:
3: kd> du poi(poi(srvnet!SrvAdminIpAddressList))
ffffe001d3d58450 "127.0.0.1" 3: kd> du
ffffe001d3d58464 "::1"
3: kd>
ffffe001d3d5846c "169.254.66.248"
3: kd>
ffffe001d3d5848a ""
3: kd>
ffffe001d3d5848c "fe80::f0cb:5439:f12f:42f8"
3: kd>
ffffe001d3d584c0 ""
3: kd> ffffe001d3d584c2 "192.168.104.249" 3: kd> ffffe001d3d584e2 ""
3: kd>
ffffe001`d3d584e4 "fe80::fc6f:ae16:b336:83dc"
3: kd>

Answer 4

In both kernel and user mode,

10: kd> !envvar COMPUTERNAME
COMPUTERNAME = a-host-name

Retrieves the computer name aka hostname of the target PC.

It requires EXTS.dll extension to be loaded, and Windows XP+ (W10 RS3 at the time of writing).

In kernel mode, this does not work directly, !envvar will return empty

10: kd> !peb
PEB NULL...

Your current context is an idle thread.

WinDbg (Windows 10 RS3 16299.15 SDK) help for !process only lists bits 0-4, however I found bit 5 dumps whole environment when used with 0 and 4. Flags = 0b110001. So I use this during WinDbg startup script to automatically log the computer name.

!process 0 0x31 wininit.exe

Will dump the all the environment variables:

10: kd> !process 0 0x31 wininit.exe
PROCESS ffffc485c82655c0
    SessionId: 0  Cid: 02d0    Peb: 8d04c6b000  ParentCid: 0258
    DirBase: 40452f000  ObjectTable: ffffe30b1150fb40  HandleCount: 163.
    Image: wininit.exe
    VadRoot ffffc485c862b990 Vads 61 Clone 0 Private 326. Modified 12. Locked 2.
    DeviceMap ffffe30b0a817880
    Token                             ffffe30b1150f060
    ElapsedTime                       00:00:18.541
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.015
    QuotaPoolUsage[PagedPool]         121696
    QuotaPoolUsage[NonPagedPool]      11448
    Working Set Sizes (now,min,max)  (1750, 50, 345) (7000KB, 200KB, 1380KB)
    PeakWorkingSetSize                1697
    VirtualSize                       2097239 Mb
    PeakVirtualSize                   2097239 Mb
    PageFaultCount                    2104
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      470

    PEB at 0000008d04c6b000            
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            No
    ImageBaseAddress:         00007ff7be3d0000
    Ldr                       00007ff8dff4f3a0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 000001be470e1c10 . 000001be47128d60
    Ldr.InLoadOrderModuleList:           000001be470e1d80 . 000001be47128d40
    Ldr.InMemoryOrderModuleList:         000001be470e1d90 . 000001be47128d50
                    Base TimeStamp                     Module
            7ff7be3d0000 600d94df Jan 24 10:40:15 2021 C:\Windows\system32\wininit.exe
            7ff8dfdf0000 493793ea Dec 04 03:25:14 2008 C:\Windows\SYSTEM32\ntdll.dll
...
    SubSystemData:     0000000000000000
    ProcessHeap:       000001be470e0000
    ProcessParameters: 000001be470e1460
    CurrentDirectory:  'C:\Windows\system32\'
    WindowTitle:  '< Name not readable >'
    ImageFile:    'C:\Windows\system32\wininit.exe'
    CommandLine:  'wininit.exe'
    DllPath:      '< Name not readable >'
    Environment:  000001be47104460
        ALLUSERSPROFILE=C:\ProgramData
        CommonProgramFiles=C:\Program Files\Common Files
        CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
        CommonProgramW6432=C:\Program Files\Common Files
        COMPUTERNAME=a-host-name
        ComSpec=C:\Windows\system32\cmd.exe
        NUMBER_OF_PROCESSORS=16
        OS=Windows_NT
        Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
        PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
        PROCESSOR_ARCHITECTURE=AMD64
        PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 1, AuthenticAMD
        PROCESSOR_LEVEL=23
        PROCESSOR_REVISION=0101
        ProgramData=C:\ProgramData
        ProgramFiles=C:\Program Files
        ProgramFiles(x86)=C:\Program Files (x86)
        ProgramW6432=C:\Program Files
        PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
        PUBLIC=C:\Users\Public
        SystemDrive=C:
        SystemRoot=C:\Windows
        TEMP=C:\temp
        TMP=C:\temp
        USERNAME=SYSTEM
        USERPROFILE=C:\Windows\system32\config\systemprofile
        windir=C:\Windows

You could click on a PEB dml link, or switch context via .process /p <PROCESS_ADDRESS>, then !envvar COMPUTERNAME would also work.