Share via


Fetch Computer Name from Windows Memroy.dmp file using WinDbg

Hi,

Sometimes we would like to know from a given memory.dmp on which computer the BSOD happened.
I would like to share with you a nice trick to find the computer name of a given memory.dmp using WinDbg (Debugging Tools for Windows).

So it based on the (not so documented) symbol found in SRV.sys module called srv!SrvComputerName
When I run the following command:

*0: kd> x srv!SrvComputerName
fffff800`0272bf98 srv!SrvComputerName = <no type information>
*
I actually get the address of this structure...
Let's try to understand what is it:

0: kd> dd fffff800`0272bf98
fffff800`0272bf98  001e001e
*00000000 01af7fe0 ffffc000
*
Hmmm...maybe we can try fit it into something:

0: kd> dt nt!_UNICODE_STRING fffff8000272bf98
 "WIN0000000000000"
   +0x000 Length           : 0x1e
   +0x002 MaximumLength    : 0x1e
   +0x008 Buffer           : 0xffffc000`01af7fe0  "WIN0000000000000"

Believe it or not - this is a unicode string...So you might know !ustr command and to make a long story short - this is the easy way to find the computer name:

0: kd> !ustr srv!SrvComputerName
String(30,30) srv!SrvComputerName+0000000000000000 at fffff8000272bf98: WIN0000000000000

Good luck!

Alon