How can I identify the version of a managed dll in windbg?

Question

I have a minidump from a customer. I want to find out the assembly versions of the loaded .NET dlls. I've already searched the internet for hours now, but cannot find a usable way. I have windbg and have loaded SOS extension an have the needed clr.dll and mscordacwks.

using lm -v only shows the unmanaged dll's. I am sure I am overlooking something very simple.

Answer 1

Alright, after some more research I came to the conclusion that that kind of information is just not available for those dll's in a minidump. Anyway I was at least able to get some more information about the files, and maybe this is useful for someone else in the future.

You can get at least the metata information of the dll's, and maybe you can find something useful in there. Here's how to do that:

First get the domain:

!dumpdomain

You might end up with a large amount of listed assemblies. Now you can either look them up by hand using:

!dumpassembly ADDRESS

or you can just use the lazy way: Install the python extension for windbg (http://pykd.codeplex.com/) and use the following script for a quick overlook (it's maybe not the nicest script, but it's working and I didn't want to invest more time):

import pykd

def dump_assemblies():
    assemblies = 0

    addrs = pykd.dbgCommand("!dumpdomain").splitlines()
    for x in addrs:
        if x[:8] == "Assembly":
            assemblies = assemblies + 1
            print "### retrieving assembly " + x[-8:]
            print pykd.dbgCommand("!dumpassembly " + x[-8:])
    print "### found " + str(assemblies) + " assemblies."

dump_assemblies()

You will now be able to do a text search (CTRL + F) for the dll. Once you found it, you can find the offset next to the module name (looks something like 12327C8 C:\Program Files\MyApp\MyDLL.dll).

You can now dump the module using:

!dumpmodule 12327C8

which will lead you to:

Name:       C:\Program Files\MyApp\MyDLL.dll
Attributes: PEFile 
Assembly:   131a22e2
LoaderHeap:              00000000
TypeDefToMethodTableMap: 19220010
TypeRefToMethodTableMap: 134303e0
MethodDefToDescMap:      13430740
FieldDefToDescMap:       13433964
MemberRefToDescMap:      134350c8
FileReferencesMap:       13435918
AssemblyReferencesMap:   1343591c
MetaData start address:  1c1aaa4c (4248 bytes)

Now you can check the metadata of the dll simply with:

dc 1c1aaa4c 1c1aaa4c + 4248

That's the closest I could get to more information about the DLL. Unfortunately the file version was not written there, just some other more generic info. Anyway, I will try to get in touch with the customer again. Thanks for the answers anyway.