Thoughts from the EPS Windows Server Performance Team
Day Five ... only twenty-two more days to go till Launch Day. On the menu today - Windows Error Reporting.
Starting with Windows Server 2008 and Windows Vista SP1, Windows Error Reporting (WER) can be configured to collect full user-mode dump files and store them locally after a user-mode application crashes. By default, this feature is not enabled - an administrator needs to turn it on by modifying the registry values in HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps:
As indicated above, you can get very granular with the type of dump file to create. The table below shows the different dump types that you can specify for the DumpType DWORD value. Each dump type represents 1 bit of the 32-bit DWORD value. If you want to specify multiple dump types, you would need to set the corresponding bit in the DWORD value:
The values discussed above are global dump settings. However, you can also configure these options on a per-process basis. The per-process settings will override the global settings. To create a specific dump configuration on a per-process basis, create a new subkey under the LocalDumps key using the application name as the key value. So if you wanted to set up a dump configuration for Notepad, the key name would be Notepad.exe. Add the desired values from the table(s) above to this key. After an application crashes, the crash reporting is handled as it was in previous releases. Prior to application termination, the system checks the registry settings to determine whether a local dump is to be collected. After the dump collection has completed, the application terminates normally. If the application supports recovery via the Restart Manager mechanism, then the dump is collected before the recovery callback is called.
One last point to note. These dumps are configured and controlled independently of the rest of the WER infrastructure. You can make use of the local dump collection process even if WER is disabled. The local dumps are collected even if WER reporting is canceled at any point - and, the local dumps may be different than the dump that WER uploads to Microsoft.
That's a wrap for Day Five. Tomorrow we'll talk about the Dynamic Link Library Loader and Address Space Load Randomization (ASLR). Until next time ...
- CC Hameed
I've been enjoying the blog very much - thanks for the great articles!
Recognizing that the material in this topic is largely taken from "Collecting User-Mode Dumps" @ http://msdn2.microsoft.com/en-us/library/bb787181.aspx and "MINIDUMP_TYPE Enumeration" @ http://msdn2.microsoft.com/en-us/library/ms680519.aspx, I wonder if you might be able to comment on the following scenario.
Given the following settings, what is the value of DumpCount used for myapp.exe?
[HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpCount] = 0x14
[HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\myapp.exe\DumpFolder] = "C:\MyAppDumps"
Is it 0n10, because that's the default value, or is it 0n20 because that's the value configured in LocalDumps?
(Presumably, the answer will not be specific to DumpCount, but to the other settings that are not present for a specific app as well.)
PingBack from http://www.ditii.com/2008/02/06/windows-server-2008-windows-error-reporting/
Since buying my Vista enabled computer about six weeks ago I suddenly became aware that I had "used "around 90 Gb of hard drive capacity!!
This seemed extraordinary as I am a "light" user, I download very little and the 90GB represents four times as much as my previous computer's total hard drive capacity!!!
When I explored the possibility of a disc cleanup, on the list of items which were available to be "cleaned" were "per user archived Windows Error reporting", and "per user queued Windows Error Reporting".
Not wanting to cause a major catastrophy I "Googled" these terms and noted that someone with a similar situation had dumped items under these same headings and lost most of their programmes.
Can I indeed employ the cleanup facility to dump these??
Regards Bob Danks.
The .DMP files are diagnostic "snapshots" of contents of the memory from the program that crashed. I can not see how removing these .DMP files could be harmful to the system or any programs that are installed.
However, if you truly have a large amount of disk space consumed by .DMP files, it seems some program is frequently crashing. You may wish to determine which program is doing so, and seek an update to the program that eliminates the crashing, or an alternative program that provides the same functionality.
Thanks for the very speedy reply molotov, however I have not been aware of a crash at all!!!!
Is there a way of turning off the Error mreporting??
Rgds B D.
If you run Problem Reports and Solutions (Start Orb -> Problem...) and click "View Problem History", is there any indication as to the program that is crashing?
It seems you can turn off / further refine error reporting configuration from Problem Reports and Solutions by clicking "Change Settings", and then "Advanced Settings".
Managed to look under"View Problem History" and found that the computer seems to have crashed, only once, without my even realising !!! (90+ GB) still seems to be a hell of a lot of stored info on one crash.
I have a Reg. analysis and correcting programme on the computer which,as the computer seems to have it's own similar system I intend to get rid of.Could this be the culprit?
Thanks again Bob D.
So as not to hijack the comments in this blog (sorry, CC Hameed!) perhaps this discussion is more suited to a support forum envorinment. I hang out at http://forum.sysinternals.com - you might consider posting details about your problem to the Troubleshooting forum there (or any of the other quality forums on the Internet as well).
It's working here.
Office 2007 dumps are not being created (very rarely) using these settings.
Other applications work fine.
Even Office 2003 dumps are rarely created. Why is it so?
I use Windows Vista SP1 32 bit version.
By a cleaning up tools I found out 3 Gb of Windows error reporting files (.KDMP, .HDMP, .MDMP, .WER). Is it safe to delete them?