by: Helge, published: Mar 8, 2021, in

Anatomy of WerFault.exe’s Application Crash Error Reporting

Not much information is available on Windows Error Reporting’s WerFault.exe, the process that is launched by the OS whenever an application crashes. This post documents the launch sequence of WerFault.exe and its related processes along with their command line parameters.

How WerFault.exe Handles an Application Crash

The following sequence shows how Windows Error Reporting (WER) handles a typical application crash on my machine (Windows 10 20H2). Most of the data is from uberAgent, our application monitoring and security analytics product.

  1. Unhandled exception in a process with PID 5700 running in session ID 1. This is the crash that triggers WER.
  2. Service Control Handler starts Windows Error Reporting Service (WerSvc)
    • Command line: C:\WINDOWS\System32\svchost.exe -k WerSvcGroup
    • Session: 0
    • User: SYSTEM
  3. Windows Error Reporting Service starts WerFault.exe with PID 35380
    • Command line: C:\WINDOWS\system32\WerFault.exe -pss -s 468 -p 5700 -ip 5700
      • -pss: process snapshotting mode
      • -s: ?
      • -p: process ID
      • -ip: initiating process ID
    • Session: 0
    • User: SYSTEM
  4. WerFault.exe PID 35380 in session 0 stops after approx. 60 ms
  5. A second instance of WerFault.exe is started, this time PID 33360 in the crashing process’ session
      • Command line: C:\WINDOWS\system32\WerFault.exe -u -p 5700 -s 10268
      • -u: user mode
      • -p: process ID
      • -s: ?
    • Session: 1
    • User: the crashing process’ user
    • Parent: the crashing process PID 5700
  6. Event ID 1000 is generated in the application event log
    • Most likely by WerFault.exe PID 33360
    • Event source: Application Error
    • Event message text (excerpt): Faulting application name: [crashed EXE], version: [EXE version], time stamp: [EXE build time]
  7. Task Scheduler service (Schedule) starts wermgr.exe with PID 21732
    • Command line: C:\WINDOWS\system32\wermgr.exe -upload
    • Session: 0
    • User: SYSTEM
  8. WerFault.exe PID 33360 in session 1 stops after approx. 960 ms
  9. The crashed process PID 5700 stops
  10. wermgr.exe PID 21732 stops after approx. 1.8 s
  11. Windows Error Reporting Service stops after approx. 2 min

WerFault’s Command-Line Arguments

Information on the command-line arguments of WerFault.exe are scarce. This is what I could find.

The First Argument

WerFault’s first argument seems to set the mode of operation:

  • -pss: process snapshotting mode via PssNtCaptureSnapshot [deduced from WerFault’s strings]
  • -u: user mode (dump creation)

Additional Arguments

  • -s: [unknown]
  • -p: process ID
  • -ip: initiating process ID [deduced from WerFault’s strings]

Further Reading

Previous Article Windows OS, Services & Apps: Network Connection Target Hosts
Next Article Citrix CVAD: Network Connection Target Hosts