Collecting User Mode Dumps/ Windows Error Reporting (WER)

jcgriff2

jcgriff2

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)
Staff member
Joined
Feb 19, 2012
Posts
21,541
Location
New Jersey Shore
Starting with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1), Windows Error Reporting (WER) can be configured so that full user-mode dumps are collected and stored locally after a user-mode application crashes. Applications that do their own custom crash reporting, including .NET applications, are not supported by this feature.

This feature is not enabled by default. Enabling the feature requires administrator privileges. To enable and configure the feature, use the following registry values under the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps key.
Click to expand...

http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx


WER Settings - http://msdn.microsoft.com/en-us/library/windows/desktop/bb513638(v=vs.85).asp

https://www.google.com/search?num=1...l24l0l0l0l0l119l1967l20j4l24l0.crnk_fspiked.1.



Courtesy of John Carrona -

Russinovich uses the dps command to find 3rd party drivers that arent evident in the stack. It's in the last section (the one on BSOD's) here:

The Case of the Unexplained 2010...Troubleshooting with Mark Russinovich -

http://channel9.msdn.com/Events/TechEd/Europe/2010/WCL301

Great stuff, John!
 
Re: Collecting User Mode Dumps/ WER

Nice, I forgot Mark using the dps thing to reveal the raw stack. His approach was more awkward, however, in which you have to keep typing dps until you reach the end. Using the Base and Limit values for the range is nice and quick. :)

Also, yes, thank you for extrapolating on the user dump stuff. It's very convenient to set up the system to automatically create such dumps on user app crashes.
 
Re: Collecting User Mode Dumps/ WER

Sorry about that link; don't know how I screwed that up.

It is a 404 in my post.
 
Back
Top