Day Five ... only twenty-two more days to go till Launch Day. On the menu today - Windows Error Reporting.
Starting with Windows Server 2008 and Windows Vista SP1, Windows Error Reporting (WER) can be configured to collect full user-mode dump files and store them locally after a user-mode application crashes. By default, this feature is not enabled - an administrator needs to turn it on by modifying the registry values in
HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps
Path to store the dump file
Maximum number of dump files to store in the folder
Type of dump to create (see the table below for the different dump types)
Custom dump options to be used. This value is used when DumpType=0
As indicated above, you can get very granular with the type of dump file to create. The table below shows the different dump types that you can specify for the
DWORD value. Each dump type represents 1 bit of the 32-bit DWORD value. If you want to specify multiple dump types, you would need to set the corresponding bit in the DWORD value:
Include only the information necessary to capture stack traces for all existing threads in a process
Include the data sections from all loaded modules. This results in the inclusion of global variables which can make the minidump significantly larger
Include all accessible memory in the process. This can result in a
Include high-level information about the OS handles that are active when the minidump is created
Stack and backing store memory written to the minidump file should be filtered to remove all but the pointer values necessary to reconstruct a stack trace. Typically this removes any private information
Stack and backing store memory is scanned for pointer references to modules in the module list
Include information from the list of modules that were recently unloaded
Include pages with data referenced by locals or other stack memory. This option can increase the size of the minidump significantly
Filter module paths for information such as user names or important directories. This option may prevent the system from locating the image file and should be used only in specific situations
Include complete per-process and per-thread information from the operating system
Scan the virtual address space for other types of memory to be included
Reduce the data that is dumped by eliminating the memory regions that are not essential to meet criteria specified for the dump. This can avoid dumping memory that may contain private data that is private to the user. However, it is not a guarantee that no private information will be present
Include memory region information
Include thread state information
Include all code and code-related sections from loaded modules to capture executable content
The values discussed above are global dump settings. However, you can also configure these options on a per-process basis. The per-process settings will override the global settings. To create a specific dump configuration on a per-process basis, create a new subkey under the
key using the application name as the key value. So if you wanted to set up a dump configuration for Notepad, the key name would be
. Add the desired values from the table(s) above to this key. After an application crashes, the crash reporting is handled as it was in previous releases. Prior to application termination, the system checks the registry settings to determine whether a local dump is to be collected. After the dump collection has completed, the application terminates normally. If the application supports recovery via the Restart Manager mechanism, then the dump is collected before the recovery callback is called.
One last point to note. These dumps are configured and controlled independently of the rest of the WER infrastructure. You can make use of the local dump collection process even if WER is disabled. The local dumps are collected even if WER reporting is canceled at any point - and, the local dumps may be different than the dump that WER uploads to Microsoft.
That's a wrap for Day Five. Tomorrow we'll talk about the Dynamic Link Library Loader and Address Space Load Randomization (ASLR). Until next time ...