8

I am investigating a BSOD and I'd like to know more about the process that caused the problem. I can open the minidump in WinDbg which gives a lot of information about the crash. However the one piece of information I haven't been able to get is the command line arguments of the process that caused the crash.

Does anyone know if it is something that can be extracted from a crash dump?

Thanks in advance.

Clem
  • 181
  • 1
  • 7
  • Try [BlueScreenView](http://www.nirsoft.net/utils/blue_screen_view.html) and see if it displays what you want. – Karan Oct 12 '12 at 22:51
  • BlueScreenView didn't help but I found the solution - see answer below. – Clem Oct 30 '12 at 14:43

1 Answers1

10

The information I was looking for is stored in the process environment block (PEB). In WinDbg the !peb command displays a formatted view of the PEB. This view contains an entry for the command line that was used to start the process.

Clem
  • 181
  • 1
  • 7
  • Note that this won't always work, because the PEB is not always one of the things that's captured in the minidump, except for the current process. – Jamie Hanrahan Aug 28 '18 at 05:33
  • What if the process is svchost? I m meaning since there are lot of svchost, I need to not get the command line of all processes but the command line or pid of the one which caused the crash. – user2284570 Jan 08 '23 at 16:33