3

Is there any way to detect process crash in windows 7 ? Just to clarify, upon every process crash windows creates the WERfault.exe ( windows error reporting) . I have driver which monitors the system by using the existing kernel callback mechanism of the kernel. The callback notifies my driver when a certain process event happens (using PsSetCreateProcessNotifyRoutine). The problem is I see that WERfault.exe created by svchost.exe but I can't find a way resolving which process has crashed.

Hen Amar
  • 53
  • 1
  • 7
  • 1
    What *problem* are you trying to solve? There may be a more elegant (and less fragile) way of solving it that does not involve watching for werfault.exe and trying to figure out why it's being called by parsing arguments and whatnot. – Nik Bougalis Feb 19 '13 at 19:57
  • Doesn't werfault.exe launch a debugger when a process crashes? Perhaps you can iterate through open handles in the debugger process and find which process it's debugging. – Gogeta70 Feb 19 '13 at 21:53
  • Nik Bougalis - i am trying to monitor some system and give report upon some events. one of the events is detecting procss crashes. – Hen Amar Feb 20 '13 at 08:23
  • @Gogeta70 - You are right a debugger is started on those cases (dr watson , windbg etc ) but only after user interaction. werfault is asking what do you want to do and the launch the debugger. i do not have any user interaction , my system is automatic. – Hen Amar Feb 20 '13 at 08:25
  • @NikBougalis - i am trying to monitor some system and give report upon some events. one of the events is detecting procss crashes. – Hen Amar Feb 20 '13 at 08:29

2 Answers2

2

Setup your application as the automatic debugger. This can then pass the event on the the real WER if you want to provide the usual UI.

Deanna
  • 23,876
  • 7
  • 71
  • 156
  • Thanks for your answer. when setting my application as the autodebug the werfaulf creates it and one off the parameters is the process's name (the ones how crash). thanks for the help . – Hen Amar Feb 20 '13 at 11:33
1

->Is there any way to detect process crash in windows 7 ?

Yes, you can use AdPlus script can be used with command line. it can be use with windbg go for the documentation i think it may solve your problem. Adplus dump all your process memory into a file .

user2369171
  • 11
  • 1