Starting with Windows Server 2008 and Windows Vista SP1, Windows Error Reporting (WER) can be configured to collect full user-mode dump files and store them locally after a user-mode application crashes. By default, this feature is not enabled - an administrator needs to turn it on by modifying the registry values in HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps :
| Value | Description | Type | Default Value |
| DumpFolder | Path to store the dump file | REG_EXPAND_SZ | %LOCALAPPDATA%\CrashDumps |
| DumpCount | Maximum number of dump files to store in the folder | REG_DWORD | 10 |
| DumpType | Type of dump to create (see the table below for the different dump types) | REG_DWORD | 1 |
| CustomDumpFlags | Custom dump options to be used. This value is used when DumpType=0 | REG_DWORD |
MiniDumpWithDataSegs
MiniDumpWithUnloadedModules MiniDumpWithProcessThreadData |
As indicated above, you can get very granular with the type of dump file to create. The table below shows the different dump types that you can specify for the DumpType DWORD value. Each dump type represents 1 bit of the 32-bit DWORD value. If you want to specify multiple dump types, you would need to set the corresponding bit in the DWORD value:
| Value Name | Value | Description |
| MiniDumpNormal | 0x00000000 | Include only the information necessary to capture stack traces for all existing threads in a process |
| MiniDumpWithDataSegs | 0x00000001 | Include the data sections from all loaded modules. This results in the inclusion of global variables which can make the minidump significantly larger |
| MiniDumpWithFullMemory | 0x00000002 | Include all accessible memory in the process. This can result in a very large file |
| MiniDumpWithHandleData | 0x00000004 | Include high-level information about the OS handles that are active when the minidump is created |
| MiniDumpFilterMemory | 0x00000008 | Stack and backing store memory written to the minidump file should be filtered to remove all but the pointer values necessary to reconstruct a stack trace. Typically this removes any private information |
| MiniDumpScanMemory | 0x00000010 | Stack and backing store memory is scanned for pointer references to modules in the module list |
| MiniDumpWithUnloadedModules | 0x00000020 | Include information from the list of modules that were recently unloaded |
| MiniDumpWithIndirectlyReferencedMemory | 0x00000040 | Include pages with data referenced by locals or other stack memory. This option can increase the size of the minidump significantly |
| MiniDumpFilterModulePaths | 0x00000080 | Filter module paths for information such as user names or important directories. This option may prevent the system from locating the image file and should be used only in specific situations |
| MiniDumpWithProcessThreadData | 0x00000100 | Include complete per-process and per-thread information from the operating system |
| MiniDumpWithPrivateReadWriteMemory | 0x00000200 | Scan the virtual address space for other types of memory to be included |
| MiniDumpWithoutOptionalData | 0x00000400 | Reduce the data that is dumped by eliminating the memory regions that are not essential to meet criteria specified for the dump. This can avoid dumping memory that may contain private data that is private to the user. However, it is not a guarantee that no private information will be present |
| MiniDumpWithFullMemoryInfo | 0x00000800 | Include memory region information |
| MiniDumpWithThreadInfo | 0x00001000 | Include thread state information |
| MiniDumpWithCodeSegs | 0x00002000 | Include all code and code-related sections from loaded modules to capture executable content |
The values discussed above are global dump settings. However, you can also configure these options on a per-process basis. The per-process settings will override the global settings. To create a specific dump configuration on a per-process basis, create a new subkey under the LocalDumps key using the application name as the key value. So if you wanted to set up a dump configuration for Notepad, the key name would be Notepad.exe . Add the desired values from the table(s) above to this key. After an application crashes, the crash reporting is handled as it was in previous releases. Prior to application termination, the system checks the registry settings to determine whether a local dump is to be collected. After the dump collection has completed, the application terminates normally. If the application supports recovery via the Restart Manager mechanism, then the dump is collected before the recovery callback is called.
One last point to note. These dumps are configured and controlled independently of the rest of the WER infrastructure. You can make use of the local dump collection process even if WER is disabled. The local dumps are collected even if WER reporting is canceled at any point - and, the local dumps may be different than the dump that WER uploads to Microsoft.
That's a wrap for Day Five. Tomorrow we'll talk about the Dynamic Link Library Loader and Address Space Load Randomization (ASLR). Until next time ...
Additional Resources:
| Share this post : |
|
|
|
|
|
Microsoft