Is the an easy way of finding out the host name of a machine than generated a user mode dump file via WinDbg?
Or at least any piece of identifying information to try and confirm that two dump files came from the same system.
+1
A:
From debugger.chm:
Finding the Computer Name in a Kernel-Mode Dump File
If you need to determine the name of the computer on which the crash dump was made, you can use the !peb extension and look for the value of COMPUTERNAME it its output.
Or you can use the following command:
0: kd> x srv!SrvComputerName
be8ce2e8 srv!SrvComputerName = _UNICODE_STRING "AIGM-MYCOMP-PUB01"
Finding the IP Address in a Kernel-Mode Dump File
To determine the IP address of the computer on which the crash dump was made, find a thread stack that shows some send/receive network activity. Open one of the send packets or receive packets. The IP address will be visible in that packet.
EDIT: I will note that depending on how the dump file was created, the PEB information may not be available and so you won't always be able to find the computer name. Particularly if something came through the Microsoft Winqual site, it has been sanitized.
Using the shortcut for environment variables in the PEB: !envvar COMPUTERNAME
Kris Kumler
2008-09-19 16:31:35
Thanks -- I had read that page and tried the "x srv!SrvComputerName" thing but it didn't work, so I had assumed that the content only applied to kernel mode dump files as the title suggested. Using !peb does work though.
Rob Walker
2008-09-19 16:51:05
+1
A:
You can do so by analyzing the user dump file with WinGdb. Run the !peb command and look for the value of COMPUTERNAME in its output.
Martin Cote
2008-09-19 16:32:22