1

I'm trying to debug my application on a production machine. It crashes about once every 2 days and I don't know why.

I've been trying for days now to make that production machine produce full crash dumps whenever a program crashes. Sometimes it does, but sometimes, instead of producing full crash dumps, it creates short text files that simply list all modules loaded and says that the program crashed. These short files are saved in %LOCALAPPDATA%\Microsoft\Windows Error Reporting\ReportArchive.

For the life of me, I cannot understand why this is happening! I can't ask these users to run adplus or windbg or something like that. I just need to create a crash dump every time the program crashes, period.

Can anyone please help? I'm attaching the full registry settings for WER. These exist both on HKEY_LOCAL_MACHINE\Software\Wow6432Node and on the 64 bit node. As you can see, the LocalDumps key points to C:\ProgramData\Microsoft\Windows\WER\LocalDumps to save crash dumps, and yes, everyone has full permission for this folder.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting]
"ErrorPort"="\\WindowsErrorReportingServicePort"
"MaxQueueSizePercentage"=dword:00000001
"PurgeThreshholdValueInKB"=dword:0000000a
"Disabled"=dword:00000000
"MaxQueueCount"=dword:00000032
"DisableQueue"=dword:00000000
"LoggingDisabled"=dword:00000000
"DontSendAdditionalData"=dword:00000000
"AutoApproveOSDumps"=dword:00000001
"MaxQueueSize"=dword:00000400
"ForceQueue"=dword:00000001
"DontShowUI"=dword:00000001
"ConfigureArchive"=dword:00000002
"MaxArchiveCount"=dword:000001f4
"DisableArchive"=dword:00000000
"LastQueuePesterTime"=hex(b):57,18,42,be,ba,81,d0,01
"LastLiveReportFlushTime"=hex(b):87,cf,56,3d,bc,81,d0,01
"LastQueueNoPesterTime"=hex(b):4d,39,bb,3a,51,97,d0,01
"LastRateLimitedDumpGenerationTime"=hex(b):87,84,74,9b,90,85,d0,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\BrokerUp]
"WWAJSE"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Consent]
"SQLException64"=dword:00000004
"SQLException"=dword:00000004
"DefaultConsent"=dword:00000004
"DefaultOverrideBehavior"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord"=hex:de,fa,ed,0e,01,00,00,00,00,00,00,00,98,45,4d,75,07,00,00,\
  00,81,f8,46,00,dc,37,49,00,88,37,49,00,00,00,00,00,c0,fe,18,00,fc,fe,18,00,\
  1c,f9,18,00,02,00,00,00,04,f9,18,00,00,00,00,00,0c,f9,18,00,96,27,40,00,da,\
  3b,40,00,f0,0c,45,00,e2,31,40,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\HeapControlledList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\HeapControlledList\dwm.exe]
"EnableHeapThrottle"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpFolder"="C:\\ProgramData\\Microsoft\\Windows\\WER\\LocalDumps"
"DumpCount"=dword:0000000a
"DumpType"=dword:00000002
"CustomDumpFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules]
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscordacwks.dll"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR]
"Disable"=dword:00000001
user884248
  • 2,134
  • 3
  • 32
  • 57
  • So someone just randomly voted to close this question and didn't specify why? – user884248 Jul 02 '15 at 12:26
  • Have you tried overriding the [global WER settings](https://msdn.microsoft.com/en-us/library/bb787181(VS.85).aspx) by adding your application under the LocalDumps key? Not sure it will work, but, WER is finicky, so, it's worth the try. – rrirower Jul 02 '15 at 14:07
  • @rrirower - thanks for answering. I did try that, but it was before I changed a bunch of settings in Microsoft\Windows\Windows Error Reporting. I guess I can try that again. – user884248 Jul 02 '15 at 14:26
  • WER is implemented by the operating system. The operating system is 64 bit, so it will always look in the 64 bit node. Get rid of the Wow6432Node registry setting. You say "These exist ... and on the 64 bit node", but you don't show us the 64 bit setting (which are the important ones). – Thomas Weller Sep 14 '15 at 19:28
  • possible duplicate of [Windows does not produce full crash dumps even though registry is set correctly](http://stackoverflow.com/questions/30457570/windows-does-not-produce-full-crash-dumps-even-though-registry-is-set-correctly) – Thomas Weller Sep 14 '15 at 19:39
  • Did you make any progress? – Thomas Weller Sep 17 '15 at 08:04
  • @ThomasWeller: do you know if the fact that the crashing application is 32 or 64 bit makes any difference regarding where has to be registered the LocalDump information? Do I need to put something on the WER section of the WOW6462Node or is every possible scenario covered with the normal WER section? – Ignacio Soler Garcia Nov 03 '17 at 12:56
  • @IgnacioSolerGarcia: I wrote it in the answer linked by my comment: "Windows Error Reporting is executed by Windows and only uses the registry key with the bitness of the OS.", so no, you don't need a Wow6432Node – Thomas Weller Nov 03 '17 at 13:41
  • @ThomasWeller: ok thanks. Any idea why is it created and populated with data if its not used? – Ignacio Soler Garcia Nov 03 '17 at 14:17
  • @IgnacioSolerGarcia: I've seen that many times as well. I think it's created by 32 bit programs which are not aware that their Registry operations will end up in the wrong key. – Thomas Weller Nov 03 '17 at 14:58

2 Answers2

3

Move the values you've added to

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps]

to

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ProgramName.exe]

For example:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\Snagit32.exe]
"CustomDumpFlags"=dword:00000000
"DumpCount"=dword:00000003
"DumpFolder"=hex(2):25,00,4c,00,4f,00,43,00,41,00,4c,00,41,00,50,00,50,00,44,\
  00,41,00,54,00,41,00,25,00,5c,00,54,00,65,00,63,00,68,00,53,00,6d,00,69,00,\
  74,00,68,00,5c,00,53,00,6e,00,61,00,67,00,69,00,74,00,5c,00,43,00,72,00,61,\
  00,73,00,68,00,44,00,75,00,6d,00,70,00,73,00,00,00
"DumpType"=dword:00000002

You've set "DontShowUI"=dword:00000001 in (as shown) the 32-bit version of HKLM's Windows Error Reporting key, but this will be overridden by the value in HKCU, for example:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting]
<other entries not shown>
"DontShowUI"=dword:00000000

Be sure that you are not disabling WER for your process by calling

SetErrorMode(SEM_NOGPFAULTERRORBOX);

The SEM_NOGPFAULTERRORBOX setting will prevent Windows Error Reporting from handling the crash, so omit this flag if you call SetErrorMode.

Windows Error Reporting will honor the LocalDumps key if WER is not disabled by the registry or SetErrorMode. Setting DontShowUI to 1 will prevent the crash dialog from appearing but will not prevent LocalDumps from being created if WER is enabled.

Tad Marshall
  • 1,353
  • 8
  • 10
  • This answer was incredibly helpful to me in figuring out that my use of `SEM_NOGPFAULTERRORBOX` was suppressing my crash reports. THANK YOU! In fact, that was also preventing my crash from showing up in Windows Event Viewer. It appears to suppress any/all evidence that a crash ever occurred. However, interestingly, removing `SEM_NOGPFAULTERRORBOX` does not seem to re-enable WER dialogs. I have posted a related, detailed question about this at https://stackoverflow.com/questions/68728694/does-windows-error-reporting-suppress-error-dialogs-for-command-line-application if you care to glance. – Nick Williams Aug 10 '21 at 14:33
1

My Two cents (even if old.. but maybe useful) Tested under windows7 AND win10 64 bit. it does work.

A tip: keys are saved in Hex, but you can also simply use: (saved in *.REG file)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpCount"=dword:0000000a
"DumpType"=dword:00000002
"DumpFolder"="c:\\CrashDumps"
ingconti
  • 10,876
  • 3
  • 61
  • 48