PSPro

╔═══════════════════════════════════════
║ Instructions - Debugging - Windows Error Reporting - Process Dump Configuration

WER (Windows Error Reporting) is the built-in debugger facility available on every Windows 6.0 and uplevel version. It can be configured to automatically create a JIT (Just-In-Time) dump of any user mode process suffering a second-chance exception (i.e. crashing). These instructions will configure WER to create up to 16 JIT full process memory dumps of any user mode processes suffering second-chance exceptions.

Full process memory dumps (user mode process dumps) are not to be confused with full memory dumps (kernel mode or kernel+user mode memory dumps). Full process memory dumps are dumps of only a single process, and are called 'full' because they capture a process' full address space. The default user mode process memory dump contains only stacks and registers.

┌───────────────────────────────────────
│ Reference

• Collecting User-Mode Dumps
• Windows Error Reporting
• Operating System Version
• User Account Control

┌───────────────────────────────────────
│ Acquire

• There is nothing to acquire, Windows Error Reporting is a component of the operating system in Windows 6.0 and uplevel.

┌───────────────────────────────────────
│ Configure - Universal Process Settings - Registry Editor

• Universal settings are preferred and should be used unless configuring universal settings results in 'too many' process dumps that consume excessive mass storage space, or for some other environmental reason.

• Open 'Registry Editor'.
    · Press: Windows Button+R

    · The window 'Run' will appear.
        · Enter: regedit.exe
        · Click: OK
    · The window 'Run' will close.

    · The window 'User Account Control' will appear.
        · Click: OK
    · The window 'User Account Control' will close.

    · The window 'Registry Editor' will appear.
        · Set registry values:
            · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps  DumpCount   REG_DWORD      0x00000010 (16)
            · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps  DumpFolder  REG_EXPAND_SZ  C:\Users\Public\Documents
            · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps  DumpType    REG_DWORD      0x00000002 (2)

• Close the window 'Registry Editor'.

┌───────────────────────────────────────
│ Configure - Universal Process Settings - .reg File

• The below text can be emplaced in a .reg file and used to configure universal settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpCount"=dword:00000010
"DumpFolder"=hex(2):25,00,50,00,55,00,42,00,4c,00,49,00,43,00,25,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00
"DumpType"=dword:00000002

┌───────────────────────────────────────
│ Configure - Per-Application Settings - Registry Editor

• Per-application settings for a specific process will override any universal settings.
    · Per-application settings may be necessary if a specific process requires settings that differ from the universal settings.

• PSPro recommends use of per-application settings only if there is a reason not to use universal settings.
    · A specific process may be the identified target of an investigation, but other processes unknowingly related to the investigation also suffering exceptions might escape recognition if universal settings are not configured.

• Open 'Registry Editor'.
    · Press: Windows Button+R

    · The window 'Run' will appear.
        · Enter: regedit.exe
        · Click: OK
    · The window 'Run' will close.

    · The window 'User Account Control' will appear.
        · Click: OK
    · The window 'User Account Control' will close.

    · The window 'Registry Editor' will appear.
        · For each application:
            · Create registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<processname.exe>
                · Where '<processname.exe>' is the process name of an application.

            · Set registry values:
                · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<processname.exe>  DumpCount   REG_DWORD      0x00000010 (16)
                · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<processname.exe>  DumpFolder  REG_EXPAND_SZ  C:\Users\Public\Documents
                · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\<processname.exe>  DumpType    REG_DWORD      0x00000002 (2)

• Close the window 'Registry Editor'.

┌───────────────────────────────────────
│ Credits

Any external referenced material in this document is hyperlinked. Authors responsible for referenced work should be sought through the reference(s) listed.

I am Christopher Etter, a Professional Services consultant.

Because you are using this, I welcome you as my customer. These documents are free for you to use. I work diligently to serve you with material such as this. I would appreciate it if PSPRO (professionalservices.pro), my name, and this 'Credits' section remain attached to this work so that I accrue name recognition via your success and peer recommendation. Thank you very much, and I hope this document helps you solve your current information technology issue!