TL;DR
Why does WinDBG lmv
display two version info fields (when no other tool I know of does this) and under which circumstances can these fields differ?
Background: I have a live dump (from a deadlock) of our application. Symbols are loaded correctly and I was able to trace back the deadlock to Microsoft's pdm.dll
("Process Debug Manager" used for our vbscript engine).
I then wanted to check which version of this DLL was loaded in the session at the production site:
0:000> lmv m pdm
start end module name
51860000 518b8000 pdm # (pdb symbols) d:\symcache\pdm.pdb\7BE601EDE9234816B72B49DA4A25DF042\pdm.pdb
Loaded symbol image file: pdm.dll
Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\pdm.dll
Image name: pdm.dll
Timestamp: Tue Jul 29 16:46:11 2008 (488F2D33)
CheckSum: 000663E0
ImageSize: 00058000
?? File version: 9.0.30729.1
?? Product version: 9.0.30729.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Visual Studio .NET
InternalName: pdm.dll
OriginalFilename: pdm.dll
?? ProductVersion: 7.10.3077
?? FileVersion: 7.10.3077
FileDescription: Process Debug Manager
LegalCopyright: Copyright© Microsoft Corporation. All rights reserved.
As you can see, the file and product versions are displayed twice, but they are mismatched in the dump!
When I cross-check on my machine for (apparently, see the timestamp and checksum!) the same file for a running iexplore process:
0:043> lmv m pdm
start end module name
3efa0000 3eff8000 pdm (pdb symbols) c:\windows\symbols\martin-cache\pdm.pdb\415D0A165EB24613BC01CE516512062C2\pdm.pdb
Loaded symbol image file: C:\Program Files (x86)\Internet Explorer\pdm.dll
Image path: C:\Program Files (x86)\Internet Explorer\pdm.dll
Image name: pdm.dll
Timestamp: Tue Jul 29 16:46:11 2008 (488F2D33)
CheckSum: 000663E0
ImageSize: 00058000
File version: 9.0.30729.1
Product version: 9.0.30729.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Visual Studio® 2008
InternalName: pdm.dll
OriginalFilename: pdm.dll
ProductVersion: 9.0.30729.1
FileVersion: 9.0.30729.1 built by: SP
FileDescription: Process Debug Manager
LegalCopyright: © Microsoft Corporation. All rights reserved.
the version infos match up.
lmv displays the strings which are defined in the resource file,
I don’t know why there is common to two set of File/Product versions names the same except some spaces.
0:041> lmv m kernel32
start end module name
753e0000 754f0000 kernel32 (deferred)
Image path: C:\Windows\SysWOW64\kernel32.dll
Image name: kernel32.dll
Timestamp: Fri Aug 02 03:53:25 2013 (51FB1115)
CheckSum: 00111A9F
ImageSize: 00110000
File version: 6.1.7601.18229
Product version: 6.1.7601.18229
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: kernel32
OriginalFilename: kernel32
ProductVersion: 6.1.7601.18229
FileVersion: 6.1.7601.18229 (win7sp1_gdr.130801-1533)
In your case you have two different dll’s, look at the image file path.
Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\
and
Image path: C:\Program Files (x86)\Internet Explorer
They must have different strings in the resource section, winDbg can’t do anything but display it. Since the time stamps are identical, one may have been tampered.