Why does WinDBG show mismatched FileVersion in dump?

Question

TL;DR

Why does WinDBG lmvdisplay two version info fields (when no other tool I know of does this) and under which circumstances can these fields differ?

---

Background: I have a live dump (from a deadlock) of our application. Symbols are loaded correctly and I was able to trace back the deadlock to Microsoft's pdm.dll ("Process Debug Manager" used for our vbscript engine).

I then wanted to check which version of this DLL was loaded in the session at the production site:

0:000> lmv m pdm
start    end        module name
51860000 518b8000   pdm      # (pdb symbols)          d:\symcache\pdm.pdb\7BE601EDE9234816B72B49DA4A25DF042\pdm.pdb
    Loaded symbol image file: pdm.dll
    Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
??  File version:     9.0.30729.1
??  Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio .NET
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
??  ProductVersion:   7.10.3077
??  FileVersion:      7.10.3077
    FileDescription:  Process Debug Manager
    LegalCopyright:   Copyright© Microsoft Corporation.  All rights reserved.

As you can see, the file and product versions are displayed twice, but they are mismatched in the dump!

When I cross-check on my machine for (apparently, see the timestamp and checksum!) the same file for a running iexplore process:

0:043> lmv m pdm
start    end        module name
3efa0000 3eff8000   pdm        (pdb symbols)          c:\windows\symbols\martin-cache\pdm.pdb\415D0A165EB24613BC01CE516512062C2\pdm.pdb
    Loaded symbol image file: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image path: C:\Program Files (x86)\Internet Explorer\pdm.dll
    Image name: pdm.dll
    Timestamp:        Tue Jul 29 16:46:11 2008 (488F2D33)
    CheckSum:         000663E0
    ImageSize:        00058000
    File version:     9.0.30729.1
    Product version:  9.0.30729.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio® 2008
    InternalName:     pdm.dll
    OriginalFilename: pdm.dll
    ProductVersion:   9.0.30729.1
    FileVersion:      9.0.30729.1 built by: SP
    FileDescription:  Process Debug Manager
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

the version infos match up.

Answer 1

lmv displays the strings which are defined in the resource file,

I don’t know why there is common to two set of File/Product versions names the same except some spaces.

0:041> lmv m kernel32
start    end        module name
753e0000 754f0000   kernel32   (deferred)             
    Image path: C:\Windows\SysWOW64\kernel32.dll
    Image name: kernel32.dll
    Timestamp:        Fri Aug 02 03:53:25 2013 (51FB1115)
    CheckSum:         00111A9F
    ImageSize:        00110000
    File version:     6.1.7601.18229
    Product version:  6.1.7601.18229
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     kernel32
    OriginalFilename: kernel32
    ProductVersion:   6.1.7601.18229
    FileVersion:      6.1.7601.18229 (win7sp1_gdr.130801-1533)

In your case you have two different dll’s, look at the image file path.

Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\

and

Image path: C:\Program Files (x86)\Internet Explorer

They must have different strings in the resource section, winDbg can’t do anything but display it. Since the time stamps are identical, one may have been tampered.