Identify the host from a Windows user mode dump file
-
01-07-2019 - |
Question
Is there an easy way of finding out the host name of a machine that generated a user mode dump file via WinDbg?
Or at least any piece of identifying information to try and confirm that two dump files came from the same system.
Solution
You can do so by analyzing the user dump file with WinDbg. Run the !peb
command and look for the value of COMPUTERNAME
in its output.
OTHER TIPS
From debugger.chm:
Finding the Computer Name in a Kernel-Mode Dump File
If you need to determine the name of the computer on which the crash dump was made, you can use the !peb extension and look for the value of COMPUTERNAME it its output.
Or you can use the following command:
0: kd> x srv!SrvComputerName
be8ce2e8 srv!SrvComputerName = _UNICODE_STRING "AIGM-MYCOMP-PUB01"
Finding the IP Address in a Kernel-Mode Dump File
To determine the IP address of the computer on which the crash dump was made, find a thread stack that shows some send/receive network activity. Open one of the send packets or receive packets. The IP address will be visible in that packet.
EDIT: I will note that depending on how the dump file was created, the PEB information may not be available and so you won't always be able to find the computer name. Particularly if something came through the Microsoft Winqual site, it has been sanitized.
Using the shortcut for environment variables in the PEB: !envvar COMPUTERNAME
For IP Address list:
3: kd> du poi(poi(srvnet!SrvAdminIpAddressList))
ffffe001d3d58450 "127.0.0.1"
3: kd> du
d3d58464 "::1"
ffffe001
3: kd>
ffffe001d3d5846c "169.254.66.248"
d3d5848a ""
3: kd>
ffffe001
3: kd>
ffffe001d3d5848c "fe80::f0cb:5439:f12f:42f8"
d3d584c0 ""
3: kd>
ffffe001
3: kd>
ffffe001d3d584c2 "192.168.104.249"
3: kd>
ffffe001
d3d584e2 ""
3: kd>
ffffe001`d3d584e4 "fe80::fc6f:ae16:b336:83dc"
3: kd>
In both kernel and user mode,
10: kd> !envvar COMPUTERNAME
COMPUTERNAME = a-host-name
Retrieves the computer name aka hostname of the target PC.
It requires EXTS.dll
extension to be loaded, and Windows XP+ (W10 RS3 at the time of writing).
In kernel mode, this does not work directly, !envvar
will return empty
10: kd> !peb
PEB NULL...
Your current context is an idle thread.
WinDbg (Windows 10 RS3 16299.15 SDK) help for !process
only lists bits 0-4, however I found bit 5 dumps whole environment when used with 0 and 4. Flags = 0b110001
. So I use this during WinDbg startup script to automatically log the computer name.
!process 0 0x31 wininit.exe
Will dump the all the environment variables:
10: kd> !process 0 0x31 wininit.exe
PROCESS ffffc485c82655c0
SessionId: 0 Cid: 02d0 Peb: 8d04c6b000 ParentCid: 0258
DirBase: 40452f000 ObjectTable: ffffe30b1150fb40 HandleCount: 163.
Image: wininit.exe
VadRoot ffffc485c862b990 Vads 61 Clone 0 Private 326. Modified 12. Locked 2.
DeviceMap ffffe30b0a817880
Token ffffe30b1150f060
ElapsedTime 00:00:18.541
UserTime 00:00:00.000
KernelTime 00:00:00.015
QuotaPoolUsage[PagedPool] 121696
QuotaPoolUsage[NonPagedPool] 11448
Working Set Sizes (now,min,max) (1750, 50, 345) (7000KB, 200KB, 1380KB)
PeakWorkingSetSize 1697
VirtualSize 2097239 Mb
PeakVirtualSize 2097239 Mb
PageFaultCount 2104
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 470
PEB at 0000008d04c6b000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00007ff7be3d0000
Ldr 00007ff8dff4f3a0
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 000001be470e1c10 . 000001be47128d60
Ldr.InLoadOrderModuleList: 000001be470e1d80 . 000001be47128d40
Ldr.InMemoryOrderModuleList: 000001be470e1d90 . 000001be47128d50
Base TimeStamp Module
7ff7be3d0000 600d94df Jan 24 10:40:15 2021 C:\Windows\system32\wininit.exe
7ff8dfdf0000 493793ea Dec 04 03:25:14 2008 C:\Windows\SYSTEM32\ntdll.dll
...
SubSystemData: 0000000000000000
ProcessHeap: 000001be470e0000
ProcessParameters: 000001be470e1460
CurrentDirectory: 'C:\Windows\system32\'
WindowTitle: '< Name not readable >'
ImageFile: 'C:\Windows\system32\wininit.exe'
CommandLine: 'wininit.exe'
DllPath: '< Name not readable >'
Environment: 000001be47104460
ALLUSERSPROFILE=C:\ProgramData
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=a-host-name
ComSpec=C:\Windows\system32\cmd.exe
NUMBER_OF_PROCESSORS=16
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 23 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=23
PROCESSOR_REVISION=0101
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=%ProgramFiles%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\temp
TMP=C:\temp
USERNAME=SYSTEM
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
You could click on a PEB dml link, or switch context via .process /p <PROCESS_ADDRESS>
, then !envvar COMPUTERNAME
would also work.