WS2008: Windows Error Reporting
Published Mar 15 2019 06:06 PM 1,258 Views
First published on TECHNET on Feb 05, 2008

Day Five ... only twenty-two more days to go till Launch Day.  On the menu today - Windows Error Reporting.

Starting with Windows Server 2008 and Windows Vista SP1, Windows Error Reporting (WER) can be configured to collect full user-mode dump files and store them locally after a user-mode application crashes.  By default, this feature is not enabled - an administrator needs to turn it on by modifying the registry values in HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps :

Value Description Type Default Value
DumpFolder Path to store the dump file REG_EXPAND_SZ %LOCALAPPDATA%\CrashDumps
DumpCount Maximum number of dump files to store in the folder REG_DWORD 10
DumpType Type of dump to create (see the table below for the different dump types) REG_DWORD 1
CustomDumpFlags Custom dump options to be used.  This value is used when DumpType=0 REG_DWORD MiniDumpWithDataSegs

As indicated above, you can get very granular with the type of dump file to create.  The table below shows the different dump types that you can specify for the DumpType DWORD value.  Each dump type represents 1 bit of the 32-bit DWORD value.  If you want to specify multiple dump types, you would need to set the corresponding bit in the DWORD value:

Value Name Value Description
MiniDumpNormal 0x00000000 Include only the information necessary to capture stack traces for all existing threads in a process
MiniDumpWithDataSegs 0x00000001 Include the data sections from all loaded modules.  This results in the inclusion of global variables which can make the minidump significantly larger
MiniDumpWithFullMemory 0x00000002 Include all accessible memory in the process.  This can result in a very large file
MiniDumpWithHandleData 0x00000004 Include high-level information about the OS handles that are active when the minidump is created
MiniDumpFilterMemory 0x00000008 Stack and backing store memory written to the  minidump file should be filtered to remove all but the pointer values necessary to reconstruct a stack trace.  Typically this removes any private information
MiniDumpScanMemory 0x00000010 Stack and backing store memory is scanned for pointer references to modules in the module list
MiniDumpWithUnloadedModules 0x00000020 Include information from the list of modules that were recently unloaded
MiniDumpWithIndirectlyReferencedMemory 0x00000040 Include pages with data referenced by locals or other stack memory.  This option can increase the size of the minidump significantly
MiniDumpFilterModulePaths 0x00000080 Filter module paths for information such as user names or important directories.  This option may prevent the system from locating the image file and should be used only in specific situations
MiniDumpWithProcessThreadData 0x00000100 Include complete per-process and per-thread information from the operating system
MiniDumpWithPrivateReadWriteMemory 0x00000200 Scan the virtual address space for other types of memory to be included
MiniDumpWithoutOptionalData 0x00000400 Reduce the data that is dumped by eliminating the memory regions that are not essential to meet criteria specified for the dump.  This can avoid dumping memory that may contain private data that is private to the user.  However, it is not a guarantee that no private information will be present
MiniDumpWithFullMemoryInfo 0x00000800 Include memory region information
MiniDumpWithThreadInfo 0x00001000 Include thread state information
MiniDumpWithCodeSegs 0x00002000 Include all code and code-related sections from loaded modules to capture executable content

The values discussed above are global dump settings.  However, you can also configure these options on a per-process basis.  The per-process settings will override the global settings.  To create a specific dump configuration on a per-process basis, create a new subkey under the LocalDumps key using the application name as the key value.  So if you wanted to set up a dump configuration for Notepad, the key name would be Notepad.exe .  Add the desired values from the table(s) above to this key.  After an application crashes, the crash reporting is handled as it was in previous releases.  Prior to application termination, the system checks the registry settings to determine whether a local dump is to be collected.  After the dump collection has completed, the application terminates normally.  If the application supports recovery via the Restart Manager mechanism, then the dump is collected before the recovery callback is called.

One last point to note.  These dumps are configured and controlled independently of the rest of the WER infrastructure.  You can make use of the local dump collection process even if WER is disabled.  The local dumps are collected even if WER reporting is canceled at any point - and, the local dumps may be different than the dump that WER uploads to Microsoft.

That's a wrap for Day Five.  Tomorrow we'll talk about the Dynamic Link Library Loader and Address Space Load Randomization (ASLR).  Until next time ...

Additional Resources:

- CC Hameed

Share this post :
Version history
Last update:
‎Mar 15 2019 06:06 PM
Updated by: