HDD serial number

@“Peter_Viscarola_(OSR)” said:

(OK… after rethinking my wise-guy answer: Have you tried IOCTL_STORAGE_QUERY_PROPERTY?)

It’s practically right but slightly imperfect.
In some cases (i can said - in MANY cases) you will have not the exact serial number but its decoration in form of hexadecimal representation.
P.S. If we need this number just for some unique persistent value it’s good idea to concatenate it with Vendor and Product…

Hello tried this code and works ok on windows 8 vmware but on windows 10 vmware had to modify it a bit to work because of bsod. But on real windows 10 got bsod - page fault in non paged area. Tested it on vmware is ok but on real host this bsod do you have an idea why it is very hard to debug on real pc.

!analyze -v

  •                                                                         *
  •                    Bugcheck Analysis                                    *
  •                                                                         *

Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arg1: ffffffff80002c70, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8041c9d23d5, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000002, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for gethwid.sys

Could not read faulting driver name
*** WARNING: Unable to verify timestamp for win32k.sys


Key  : Analysis.CPU.Sec
Value: 5

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-9IDCT4T

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 38

Key  : Analysis.Memory.CommitPeak.Mb
Value: 79

Key  : Analysis.System
Value: CreateObject


BUGCHECK_P1: ffffffff80002c70


BUGCHECK_P3: fffff8041c9d23d5


READ_ADDRESS: fffff8041d2fb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8041d20f380: Unable to get Flags value from nt!KdVersionBlock
fffff8041d20f380: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse


BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)




TRAP_FRAME: ffff858082d8d8c0 – (.trap 0xffff858082d8d8c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff858082d8dac0 rbx=0000000000000000 rcx=ffff858082d8dcc0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8041c9d23d5 rsp=ffff858082d8da50 rbp=ffff858082d8db50
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=ffff858082d8df38 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
fffff8041c9d23d5 458a0c24 mov r9b,byte ptr [r12] ds:0000000000000000=??
Resetting default scope

ffff858082d8d618 fffff8041ca4e27f : 0000000000000050 ffffffff80002c70 0000000000000000 ffff858082d8d8c0 : nt!KeBugCheckEx
ffff858082d8d620 fffff8041c8a6960 : 0000000000000000 0000000000000000 ffff858082d8d940 0000000000000000 : nt!MiSystemFault+0x1898cf
ffff858082d8d720 fffff8041ca05f5e : 0000000000000000 ffff858000000000 ffffb70917a9b1c0 ffff88070d1dcae0 : nt!MmAccessFault+0x400
ffff858082d8d8c0 fffff8041c9d23d5 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x35e
ffff858082d8da50 fffff8041c9ce19a : 0000000000000020 0000000000000000 ffff858082d8de10 fffff8041ca097b8 : nt!output_l+0x89
ffff858082d8dd10 fffff8041c9ce121 : 000000000000007f ffff858082d8de10 ffff37403f844682 fffff8041ca09620 : nt!vsnprintf_l+0x6a
ffff858082d8dd80 fffff8041c96f46b : ffff858082d8e470 ffff880700bd3500 ffff858082d8de40 fffff8041c9ce08c : nt!vsnprintf+0x11
ffff858082d8ddc0 fffff8041c962c64 : 0000000000000000 0000000000000080 0000000000000003 ffffb709254925e0 : nt!RtlStringCbVPrintfA+0x3f
ffff858082d8ddf0 fffff8041c962b3c : ffff8807002d0000 ffff880700bd3510 ffff858082d8e470 fffff8041c9fbc30 : nt!vDbgPrintExWithPrefixInternal+0xe4
ffff858082d8def0 fffff8041d904c70 : ffffffff80002c70 0000000000000000 ffff88070d1dcae0 ffffb7090e652880 : nt!DbgPrint+0x3c
ffff858082d8df40 ffffffff80002c70 : 0000000000000000 ffff88070d1dcae0 ffffb7090e652880 0000000000000000 : gethwid+0x4c70
ffff858082d8df48 0000000000000000 : ffff88070d1dcae0 ffffb7090e652880 0000000000000000 ffff858000000080 : 0xffffffff`80002c70

SYMBOL_NAME: gethwid+4c70

MODULE_NAME: gethwid

IMAGE_NAME: gethwid.sys

STACK_COMMAND: .thread ; .cxr ; kb


FAILURE_BUCKET_ID: AV_R_INVALID_gethwid!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release


OSNAME: Windows 10

FAILURE_ID_HASH: {5c1ae45c-6bee-516e-d466-f1bd94725f76}

Followup: MachineOwner

@pulp said:
Hello tried this code and works ok on windows 8 vmware but on windows 10 vmware had to modify it a bit to work because of bsod. But on real windows 10 got bsod - page fault in non paged area. Tested it on vmware is ok but on real host this bsod do you have an idea why it is very hard to debug on real pc.

A bit difficult to see your screen from over here, but it appears to have blown up in a print. Looking at the code, this one seems most likely:

KdPrint((“SerialNumber: %s.\n”, originSerialNumber));

Well, actually, the most likely detonation site is the part where you “had to modify it a bit”.

In any case, you should load your driver symbols (.reload -f gethwid.sys) and then open the call stack window, double click on this function, open the locals and see what’s what…

If you used the debug build, windbg would be happy to show you the line of code that failed.

Yes it was the debug string indeed. When removed the first debug string : KdPrint(("Open PhysicalDrive0 success and the \n it was ok. But can you tell me why this happens with dbgprint?