Extract information from a dump file

Some information, such as the name of the target computer, is easily available during live debugging. You can also debug a dump file to determine the information. This article explains how to extract information from a dump file.

For general information on working with dump files, see:

Find the computer name in a kernel-mode dump file

Use the !peb extension if you need to determine the name of the computer on which the crash dump was made. Look for the value of COMPUTERNAME in its output.

Find the IP address in a kernel-mode dump file

To determine the IP address of the computer on which the crash dump was made, find a thread stack that shows some send or receive network activity. Open one of the send or receive packets. The IP address is visible in that packet.

Find the process ID in a user-mode dump file

To determine the process ID of the target application from a user-mode dump file, use the | (Process status) command. This command displays all the processes being debugged at the time the dump was written. The process marked with a period (.) is the current process. Its process ID is given in hexadecimal after the id: notation.

Integrate WER into applications

Windows error reporting (WER) information can be integrated into applications to provide other crash dump information. For more information, see Using WER.

See also