Background Information
For saving out crash dumps, I have a script passed to cdb.exe in the Debugger value of the AeDebug registry key:
C:\progra~1\debugg~1\cdb.exe -p %ld -e %ld -g -y SRV*c:\mss*http://msdl.microsoft.com/download/symbols -c "$<d:\tgticker\Dumps\RDFD.cdbscript"
Here is the first portion of the script:
as /c CrashFirstModule .printf "%mu", @@c++((*(ntdll!_LDR_DATA_TABLE_ENTRY**)&@$peb->Ldr->InLoadOrderModuleList.Flink)->BaseDllName.Buffer)
.logopen /t d:\tgticker\dumps\${CrashFirstModule}_process.log
* (...)
The Problem
Generally, this works exactly as I would like, I get log files with sensible names like:
LHCBDRDT.exe_process_147c_2009-01-06_23-10-05-371.log
However, for some crashes (which I call Poof-Crashs because the application just exits with no exception or anything), I get a log file name like this:
${CrashFirstModule}_process_17a8_2009-01-06_23-10-01-124.log
This is because the alias command has failed to set the alias. The alias command is one that I harvested from DumpAnalysis.org. This command pulls the name out of the PEB Header for the image, using ntdll.dll. My guess is that the alias command fails because either the process can no longer be found by ntdll.dll or the PEB Header for the image has been corrupted.
I'm certain that the information is still available. In particular, I can load the dump or the log and see the image name. On DumpAnalysis.org, he talks about earlier attempts to get the name using this command:
as /c CrashApp lmM *.exe 1m
The problem with it was a line break at the end. He switched to the .printf command to get rid of that issue, but I think perhaps this command could be modified to get rid of the line ending issue.
The Question
Does anyone know or have a command to get the name of the image as an alias for use in filenames which would still work in these situations?