Last reviewed and updated: 10 August 2020
I was looking at a few different crashes today that were all eerily similar. In doing so, I realized that I hadn’t asked if these were all different systems or the same system. I could have just asked the person reporting the crashes, but what fun is that?
Prior to Windows 10, the computer name was readily available within the SRV module. It was even documented:
0: kd> x srv!SrvComputerName be8ce2e8 srv!SrvComputerName = _UNICODE_STRING "AIGM-MYCOMP-PUB01"
Aside
When you have a minute, check the link above and read how they suggest you find the IP address from the dump. It’s truly awesome (“Yeah, uhm, the IP address is probably on the stack somewhere…Have a nice day!!”).
Only trick is that the example x command doesn’t work with public symbols. You instead need to use dS for “Display Pointer to UNICODE_STRING”:
1: kd> dS srv!SrvComputerName 9f44d458 "WIN81UPDATEX86"
I discovered today that the srv!SrvComputerName trick no longer works on Windows 10. srv has been replaced with srv2 and there is no longer an SrvComputerName symbol:
2: kd> x srv!SrvComputerName ^ Couldn't resolve 'x srv' 2: kd> x srv2!SrvComputerName
Hoping that I might strike gold, I decided to search every module in the system for a symbol containing the string “ComputerName”:
2: kd> x *!*ComputerName* a0c7c410 mslldp!lldpReadComputerName () a0cc6ae0 HTTP!UxGetComputerName () a0da2a07 bowser!BowserCopyOemComputerName () a0dd6988 mrxsmb!SmbCeGetComputerName (void) a0dea1c4 mrxsmb!SmbCeSetComputerNameSid () a0ebc36a srvnet!SrvLibGetComputerName ()
Sadly, all of these were functions instead of simple globals containing the string. However, in doing a bit more digging I discovered that mrxsmb keeps a global array of pointers to UNICODE_STRING with the following:
- Domain Name
- Computer Name
- Windows SKU + Build Number
- Windows SKU + Version
Even better, this array exists back to at least Windows 7! So, this leads me to my new fancy way to get computer information from a crash dump:
1: kd> r @$t0 = @@masm(mrxsmb!SmbCeContext); dx (nt!_UNICODE_STRING[4])(@$t0) @$mrxArray = (nt!_UNICODE_STRING[4])(@$t0) [Type: _UNICODE_STRING [4]] [0] : "WORKGROUP" [Type: _UNICODE_STRING] [1] : "WIN81UPDATEX86" [Type: _UNICODE_STRING] [2] : "Windows 8.1 Pro 9600" [Type: _UNICODE_STRING] [3] : "Windows 8.1 Pro 6.3" [Type: _UNICODE_STRING]
Another example:
2: kd> r @$t0 = @@masm(mrxsmb!SmbCeContext); dx (nt!_UNICODE_STRING[4])(@$t0) Last set context: @$mrxArray = (nt!_UNICODE_STRING[4])(@$t0) [Type: _UNICODE_STRING [4]] [0] : "WOMBLE" [Type: _UNICODE_STRING] [1] : "TATOOINE" [Type: _UNICODE_STRING] [2] : "Windows 10 Enterprise 17134" [Type: _UNICODE_STRING] [3] : "Windows 10 Enterprise 6.3" [Type: _UNICODE_STRING]
That command is, of course, impossible to remember. If you want sleaze out, you can instead just do a dpu mrxsmb!SmbCeContext. This simply dumps out PWCHARs starting at the given address, which can be close enough to give you the idea. The only important thing to note is that the strings displayed might not be properly NULL terminated.
Happy Debugging!