Anatomy of WerFault.exe's Application Crash Error Reporting

Windows Internals
Published Mar 8, 2021

Not much information is available on Windows Error Reporting’s WerFault.exe, the process that is launched by the OS whenever an application crashes. This post documents the launch sequence of WerFault.exe and its related processes along with their command line parameters.

How WerFault.exe Handles an Application Crash

The following sequence shows how Windows Error Reporting (WER) handles a typical application crash on my machine (Windows 10 20H2). Most of the data is from uberAgent, our application monitoring and security analytics product.

Unhandled exception in a process with PID 5700 running in session ID 1. This is the crash that triggers WER.
Service Control Handler starts Windows Error Reporting Service (WerSvc)
- Command line: C:\WINDOWS\System32\svchost.exe -k WerSvcGroup
- Session: 0
- User: SYSTEM
Windows Error Reporting Service starts WerFault.exe with PID 35380
- Command line: C:\WINDOWS\system32\WerFault.exe -pss -s 468 -p 5700 -ip 5700
  - -pss: process snapshotting mode
  - -s: ?
  - -p: process ID
  - -ip: initiating process ID
- Session: 0
- User: SYSTEM
WerFault.exe PID 35380 in session 0 stops after approx. 60 ms
A second instance of WerFault.exe is started, this time PID 33360 in the crashing process’ session
- Command line: C:\WINDOWS\system32\WerFault.exe -u -p 5700 -s 10268
- -u: user mode
- -p: process ID
- -s: ?- Session: 1
- User: the crashing process’ user
- Parent: the crashing process PID 5700
Event ID 1000 is generated in the application event log
- Most likely by WerFault.exe PID 33360
- Event source: Application Error
- Event message text (excerpt): Faulting application name: [crashed EXE], version: [EXE version], time stamp: [EXE build time]
Task Scheduler service (Schedule) starts wermgr.exe with PID 21732
- Command line: C:\WINDOWS\system32\wermgr.exe -upload
- Session: 0
- User: SYSTEM
WerFault.exe PID 33360 in session 1 stops after approx. 960 ms
The crashed process PID 5700 stops
wermgr.exe PID 21732 stops after approx. 1.8 s
Windows Error Reporting Service stops after approx. 2 min

WerFault’s Command-Line Arguments

Information on the command-line arguments of WerFault.exe are scarce. This is what I could find.

The First Argument

WerFault’s first argument seems to set the mode of operation:

-pss: process snapshotting mode via PssNtCaptureSnapshot [deduced from WerFault’s strings]
-u: user mode (dump creation)

Additional Arguments

-s: [unknown]
-p: process ID
-ip: initiating process ID [deduced from WerFault’s strings]

Further Reading

Crash Dump WerFault Windows Error Reporting

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Measuring the Impact of Folder Redirection - Application Launch & SMB Version

Measuring the Impact of Folder Redirection - Application Launch & SMB Version

This is the fifth in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass. Part one: How Folder Redirection Impacts UX & Breaks Applications Part two: Visualizing the Impact of Folder Redirection – Logon and Application Launch Part three: Visualizing the Impact of Folder Redirection – Start Menu Search Part four: Measuring the Impact of Folder Redirection – User Logon Part five: this article Previously on this Series If you have been following this mini-series you know that after explaining the basics in part one we got to the juicy bits in parts two and three, where we presented videos that vividly show that folder redirection indeed speeds up user logons considerably, but at the price of potentially horrible user experience during the session. In part four Aaron Parker published our measurements of how folder redirection affects logon duration. This fifth part is about the effect folder redirection and SMB version can have on application launch speed.

Windows Internals

Creating an Application Crash Dump

Creating an Application Crash Dump

How to Create User Mode Crash Dump Files If you experience application crashes you may be asked by support to create a crash dump file.

Troubleshooting

How Folder Redirection Impacts UX & Breaks Applications

How Folder Redirection Impacts UX & Breaks Applications

This is the first in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass. Part one: this article Part two: Visualizing the Impact of Folder Redirection – Logon and Application Launch Part three: Visualizing the Impact of Folder Redirection – Start Menu Search Part four: Measuring the Impact of Folder Redirection – User Logon Why Even Talk About Folder Redirection - in 2014!?! Working in the SBC/VDI space without stumbling across folder redirection is about as easy as travelling from Europe to the US as an IP packet without going through a Cisco router.

Windows Internals

Windows 10: Black Lock Screen with Citrix Receiver

Windows 10: Black Lock Screen with Citrix Receiver

Update: KB4022723 seems to fix the black lock screen issue described in this article. The Spotlight feature of Windows 10 shows beautiful images on the lock screen. Annoyingly, it appears to be broken on many machines, showing a black screen instead of a pretty photograph. Read on for the cause and a workaround.

Windows Internals

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting