WS2008: Windows Error Reporting

WS2008: Windows Error Reporting

  • Comments 12
  • Likes

Day Five ... only twenty-two more days to go till Launch Day.  On the menu today - Windows Error Reporting.

Starting with Windows Server 2008 and Windows Vista SP1, Windows Error Reporting (WER) can be configured to collect full user-mode dump files and store them locally after a user-mode application crashes.  By default, this feature is not enabled - an administrator needs to turn it on by modifying the registry values in HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps:

Value Description Type Default Value
DumpFolder Path to store the dump file REG_EXPAND_SZ %LOCALAPPDATA%\CrashDumps
DumpCount Maximum number of dump files to store in the folder REG_DWORD 10
DumpType Type of dump to create (see the table below for the different dump types) REG_DWORD 1
CustomDumpFlags Custom dump options to be used.  This value is used when DumpType=0 REG_DWORD MiniDumpWithDataSegs
MiniDumpWithUnloadedModules
MiniDumpWithProcessThreadData

As indicated above, you can get very granular with the type of dump file to create.  The table below shows the different dump types that you can specify for the DumpType DWORD value.  Each dump type represents 1 bit of the 32-bit DWORD value.  If you want to specify multiple dump types, you would need to set the corresponding bit in the DWORD value:

Value Name Value Description
MiniDumpNormal 0x00000000 Include only the information necessary to capture stack traces for all existing threads in a process
MiniDumpWithDataSegs 0x00000001 Include the data sections from all loaded modules.  This results in the inclusion of global variables which can make the minidump significantly larger
MiniDumpWithFullMemory 0x00000002 Include all accessible memory in the process.  This can result in a very large file
MiniDumpWithHandleData 0x00000004 Include high-level information about the OS handles that are active when the minidump is created
MiniDumpFilterMemory 0x00000008 Stack and backing store memory written to the  minidump file should be filtered to remove all but the pointer values necessary to reconstruct a stack trace.  Typically this removes any private information
MiniDumpScanMemory 0x00000010 Stack and backing store memory is scanned for pointer references to modules in the module list
MiniDumpWithUnloadedModules 0x00000020 Include information from the list of modules that were recently unloaded
MiniDumpWithIndirectlyReferencedMemory 0x00000040 Include pages with data referenced by locals or other stack memory.  This option can increase the size of the minidump significantly
MiniDumpFilterModulePaths 0x00000080 Filter module paths for information such as user names or important directories.  This option may prevent the system from locating the image file and should be used only in specific situations
MiniDumpWithProcessThreadData 0x00000100 Include complete per-process and per-thread information from the operating system
MiniDumpWithPrivateReadWriteMemory 0x00000200 Scan the virtual address space for other types of memory to be included
MiniDumpWithoutOptionalData 0x00000400 Reduce the data that is dumped by eliminating the memory regions that are not essential to meet criteria specified for the dump.  This can avoid dumping memory that may contain private data that is private to the user.  However, it is not a guarantee that no private information will be present
MiniDumpWithFullMemoryInfo 0x00000800 Include memory region information
MiniDumpWithThreadInfo 0x00001000 Include thread state information
MiniDumpWithCodeSegs 0x00002000 Include all code and code-related sections from loaded modules to capture executable content

The values discussed above are global dump settings.  However, you can also configure these options on a per-process basis.  The per-process settings will override the global settings.  To create a specific dump configuration on a per-process basis, create a new subkey under the LocalDumps key using the application name as the key value.  So if you wanted to set up a dump configuration for Notepad, the key name would be Notepad.exe.  Add the desired values from the table(s) above to this key.  After an application crashes, the crash reporting is handled as it was in previous releases.  Prior to application termination, the system checks the registry settings to determine whether a local dump is to be collected.  After the dump collection has completed, the application terminates normally.  If the application supports recovery via the Restart Manager mechanism, then the dump is collected before the recovery callback is called.

One last point to note.  These dumps are configured and controlled independently of the rest of the WER infrastructure.  You can make use of the local dump collection process even if WER is disabled.  The local dumps are collected even if WER reporting is canceled at any point - and, the local dumps may be different than the dump that WER uploads to Microsoft.

That's a wrap for Day Five.  Tomorrow we'll talk about the Dynamic Link Library Loader and Address Space Load Randomization (ASLR).  Until next time ...

Additional Resources:

- CC Hameed

Share this post :
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I've been enjoying the blog very much - thanks for the great articles!

    Recognizing that the material in this topic is largely taken from "Collecting User-Mode Dumps" @ http://msdn2.microsoft.com/en-us/library/bb787181.aspx and "MINIDUMP_TYPE Enumeration" @ http://msdn2.microsoft.com/en-us/library/ms680519.aspx, I wonder if you might be able to comment on the following scenario.

    Given the following settings, what is the value of DumpCount used for myapp.exe?

    [HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpCount] = 0x14

    [HKLM\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\myapp.exe\DumpFolder] = "C:\MyAppDumps"

    Is it 0n10, because that's the default value, or is it 0n20 because that's the value configured in LocalDumps?

    (Presumably, the answer will not be specific to DumpCount, but to the other settings that are not present for a specific app as well.)

    Thanks!

  • PingBack from http://www.ditii.com/2008/02/06/windows-server-2008-windows-error-reporting/

  • Since buying my Vista enabled computer about six weeks ago I suddenly became aware that I had "used "around 90 Gb of hard drive capacity!!

    This seemed extraordinary as I am a "light" user, I download very little and the 90GB represents four times as much as my previous computer's total hard drive capacity!!!

    When I explored the possibility of a disc cleanup, on the list of items which were available to be "cleaned" were "per user archived Windows Error reporting", and "per user queued Windows Error Reporting".

    Not wanting to cause a major catastrophy I "Googled" these terms and noted that someone with a similar situation had dumped items under these same headings and lost most of their programmes.

    Can I indeed employ the cleanup facility to dump these??

    Regards Bob Danks.

  • Hi Bob,

    The .DMP files are diagnostic "snapshots" of contents of the memory from the program that crashed.  I can not see how removing these .DMP files could be harmful to the system or any programs that are installed.

    However, if you truly have a large amount of disk space consumed by .DMP files, it seems some program is frequently crashing.  You may wish to determine which program is doing so, and seek an update to the program that eliminates the crashing, or an alternative program that provides the same functionality.

  • Thanks for the very speedy reply molotov, however I have not been aware of a crash at all!!!!

    Is there a way of turning off the Error mreporting??

    Rgds B D.

  • If you run Problem Reports and Solutions (Start Orb -> Problem...) and click "View Problem History", is there any indication as to the program that is crashing?

    It seems you can turn off / further refine error reporting configuration from Problem Reports and Solutions by clicking "Change Settings", and then "Advanced Settings".

  • Managed to look under"View Problem History" and found that the computer seems to have crashed, only once, without my even realising !!! (90+ GB) still seems to be a hell of a lot of stored info on one crash.

    I have a Reg. analysis and correcting programme on the computer which,as the computer seems to have it's own similar system I intend to get rid of.Could this be the culprit?

    Thanks again Bob D.

  • Bob,

    So as not to hijack the comments in this blog (sorry, CC Hameed!) perhaps this discussion is more suited to a support forum envorinment.  I hang out at http://forum.sysinternals.com - you might consider posting details about your problem to the Troubleshooting forum there (or any of the other quality forums on the Internet as well).

    Kind regards,

    --molotov

  • It's working here.

    vladimir@bcc.ufla.br

  • Hi,

    Office 2007 dumps are not being created (very rarely) using these settings.

    Other applications work fine.

    Even Office 2003 dumps are rarely created. Why is it so?

    I use Windows Vista SP1 32 bit version.

    Regards,

    Basso

  • By a cleaning up tools I found out 3 Gb of Windows error reporting files (.KDMP, .HDMP, .MDMP, .WER). Is it safe to delete them?

    Rgds

    Emanuele

  • I am receiving a "referenced memory could not be written" error when I boot up Vista, I noticed the Avast application displays the error, I con't know what it is, and everything runs fine, doesn't seem to be critical, but I am tired of seeing it, I copied it this morning in notepad but it was corrupted so I cannot be specific with the "...66dd" something that it provided, but when I next boot up Vista it will appear again, is there a fix-it tool for dealing with referenced memory errors?

    Thanks