Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Hi,
Sometimes we would like to know from a given memory.dmp on which computer the BSOD happened.
I would like to share with you a nice trick to find the computer name of a given memory.dmp using WinDbg (Debugging Tools for Windows).
So it based on the (not so documented) symbol found in SRV.sys module called srv!SrvComputerName
When I run the following command:
*0: kd> x srv!SrvComputerName
fffff800`0272bf98 srv!SrvComputerName = <no type information>
*
I actually get the address of this structure...
Let's try to understand what is it:
0: kd> dd fffff800`0272bf98
fffff800`0272bf98 001e001e *00000000 01af7fe0 ffffc000
*
Hmmm...maybe we can try fit it into something:
0: kd> dt nt!_UNICODE_STRING fffff8000272bf98
"WIN0000000000000"
+0x000 Length : 0x1e
+0x002 MaximumLength : 0x1e
+0x008 Buffer : 0xffffc000`01af7fe0 "WIN0000000000000"
Believe it or not - this is a unicode string...So you might know !ustr command and to make a long story short - this is the easy way to find the computer name:
0: kd> !ustr srv!SrvComputerName
String(30,30) srv!SrvComputerName+0000000000000000 at fffff8000272bf98: WIN0000000000000
Good luck!
Alon