Anatomy of WerFault.exe's Application Crash Error Reporting

Windows Internals
Published Mar 8, 2021

Not much information is available on Windows Error Reporting’s WerFault.exe, the process that is launched by the OS whenever an application crashes. This post documents the launch sequence of WerFault.exe and its related processes along with their command line parameters.

How WerFault.exe Handles an Application Crash

The following sequence shows how Windows Error Reporting (WER) handles a typical application crash on my machine (Windows 10 20H2). Most of the data is from uberAgent, our application monitoring and security analytics product.

Unhandled exception in a process with PID 5700 running in session ID 1. This is the crash that triggers WER.
Service Control Handler starts Windows Error Reporting Service (WerSvc)
- Command line: C:\WINDOWS\System32\svchost.exe -k WerSvcGroup
- Session: 0
- User: SYSTEM
Windows Error Reporting Service starts WerFault.exe with PID 35380
- Command line: C:\WINDOWS\system32\WerFault.exe -pss -s 468 -p 5700 -ip 5700
  - -pss: process snapshotting mode
  - -s: ?
  - -p: process ID
  - -ip: initiating process ID
- Session: 0
- User: SYSTEM
WerFault.exe PID 35380 in session 0 stops after approx. 60 ms
A second instance of WerFault.exe is started, this time PID 33360 in the crashing process’ session
- Command line: C:\WINDOWS\system32\WerFault.exe -u -p 5700 -s 10268
- -u: user mode
- -p: process ID
- -s: ?- Session: 1
- User: the crashing process’ user
- Parent: the crashing process PID 5700
Event ID 1000 is generated in the application event log
- Most likely by WerFault.exe PID 33360
- Event source: Application Error
- Event message text (excerpt): Faulting application name: [crashed EXE], version: [EXE version], time stamp: [EXE build time]
Task Scheduler service (Schedule) starts wermgr.exe with PID 21732
- Command line: C:\WINDOWS\system32\wermgr.exe -upload
- Session: 0
- User: SYSTEM
WerFault.exe PID 33360 in session 1 stops after approx. 960 ms
The crashed process PID 5700 stops
wermgr.exe PID 21732 stops after approx. 1.8 s
Windows Error Reporting Service stops after approx. 2 min

WerFault’s Command-Line Arguments

Information on the command-line arguments of WerFault.exe are scarce. This is what I could find.

The First Argument

WerFault’s first argument seems to set the mode of operation:

-pss: process snapshotting mode via PssNtCaptureSnapshot [deduced from WerFault’s strings]
-u: user mode (dump creation)

Additional Arguments

-s: [unknown]
-p: process ID
-ip: initiating process ID [deduced from WerFault’s strings]

Further Reading

Crash Dump WerFault Windows Error Reporting

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Visualizing the Impact of Folder Redirection – Start Menu Search

This is the third in a series of articles on folder redirection by Aaron Parker, Helge Klein and Shawn Bass. Part one: How Folder Redirection Impacts UX & Breaks Applications Part two: Visualizing the Impact of Folder Redirection – Logon and Application Launch Part three: this article Part four: Measuring the Impact of Folder Redirection – User Logon Previously on this Series If you have been following this mini-series you know that after explaining the basics in part one we got to the juicy bits in part two, where Aaron Parker presented videos that vividly show that folder redirection indeed speeds up user logons considerably, but at the price of potentially horrible user experience during the session. In this third part we are going to explore that in more detail.

Windows Internals

Per-User Services in Windows: Info & Configuration

Per-User Services in Windows: Info & Configuration

It’s a little-known fact that Windows comes with per-user services, background processes that complement the well-known per-machine system services. This article explains what per-user services are, how to create your own, and which configuration options there are.

Windows Internals

Citrix XenApp/XenDesktop API Hooking Explained

Citrix XenApp/XenDesktop API Hooking Explained

What is API Hooking? API hooking is all about making others do things they never even knew they could do. More precisely: tricking other processes into doing things differently from what their developers programmed.

Citrix/Terminal Services/Remote Desktop Services

How to Enable BitLocker Hardware Encryption with SSDs

How to Enable BitLocker Hardware Encryption with SSDs

2019-10-01: with the 2019 September update KB4516045 BitLocker uses software instead of hardware encryption by default. Likely reason: the security of software encryption can be controlled by Microsoft. Hardware encryption in the drive may be buggy.

Windows Internals

Latest Posts

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting

GitHub: Authenticated Access via SSH

GitHub: Authenticated Access via SSH

This article describes how to set up authenticated access to a (private or public) GitHub repository from Linux. Create & Set Up an SSH Key SSH Key Creation Create a new SSH key:

Software development