A process crashed in windows .. Crash dump location

J

7

33

A windows process got crashed for some reason. I need to analyse the crash dump.

In Windows 2003 PC health helped us to find the crash dump file.

How to get the crash dump file location in Windows 2008?

Jemmy answered 16/7, 2010 at 10:16 Comment(0)

B

26

I have observed on Windows 2008 the Windows Error Reporting crash dumps get staged in the folder:

C:\Users\All Users\Microsoft\Windows\WER\ReportQueue

Which, starting with Windows Vista, is an alias for:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Behah answered 29/12, 2010 at 22:47 Comment(2)

Any idea where this would be on Windows 10? Where "All Users" is no longer in Users folder? – Insinuating 12/1, 2017 at 19:21

@AllTradesJack, Probably C:\ProgramData\Microsoft\Windows\WER\. Also, All Users is a hidden junction point on windows 8. It's possible if you uncheck the "Hide protected operating system files" option in windows explorer options you'll see it. It'll probably redirect to c:\ProgramData. – Behah 12/1, 2017 at 21:11

E

19

Maybe useful (Powershell)

http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/

From Windows Vista and Windows Server 2008 onwards Microsoft introduced Windows Error Reporting or WER . This allows the server to be configured to automatically enable the generation and capture of Application Crash dumps. The configuration of this is discussed here . The main problem with the default configuration is the dump files are created and stored in the %APPDATA%\crashdumps folder running the process which can make it awkward to collect dumps as they are spread all over the server. There are additional problems with this as but the main problem I always had with it was that its a simple task that is very repetitive but easy to do incorrectly.

Source code in Powershell (should be useful source code in C# too):

$verifydumpkey = Test-Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\LocalDumps"
 
    if ($verifydumpkey -eq $false )
    {
    New-Item -Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\" -Name LocalDumps
    }
 
##### adding the values
 
$dumpkey = "HKLM:\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps"
 
New-ItemProperty $dumpkey -Name "DumpFolder" -Value $Folder -PropertyType "ExpandString" -Force
New-ItemProperty $dumpkey -Name "DumpCount" -Value 10 -PropertyType "Dword" -Force
New-ItemProperty $dumpkey -Name "DumpType" -Value 2 -PropertyType "Dword" -Force

WER -Windows Error Reporting- Folders:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

%localappdata%\Microsoft\Windows\WER

%LOCALAPPDATA%\CrashDumps

C:\Users[Current User when app> crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive

C:\ProgramData\Microsoft\Windows\WER\ReportArchive

c:\Users\All Users\Microsoft\Windows\WER\ReportQueue\

BSOD Crash

%WINDIR%\Minidump

%WINDIR%\MEMORY.DMP

Sources:
http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
http://support.microsoft.com/kb/931673
https://support2.microsoft.com/kb/931673?wa=wsignin1.0

Expose answered 1/10, 2014 at 13:51 Comment(0)

H

12

The location is in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

Source: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx

Hilleary answered 23/10, 2012 at 7:33 Comment(1)

That registry key is empty. – Latakia 1/6, 2017 at 20:41

B

3

http://support.microsoft.com/kb/931673

There are Registry changes you can make to explicitly select where the crash dump file resides, otherwise %localappdata%\Microsoft\Windows\WER is the default location. I assume that %localappdata% is defined differently for a user or a service running under System. You will need to enable WER I believe.

Branchia answered 28/12, 2011 at 19:41 Comment(0)

G

2

a core dump is usually only made when the Windows kernel crashes (aka blue screen). A servicecrash will most of the times only leave some logging behind (in the event viewer probably).

If it is the bluescreen crash dump you are looking for, look in C:\Windows\Minidump or C:\windows\MEMORY.DMP

Goodell answered 16/7, 2010 at 10:36 Comment(1)

That refresh to system (BSOD) crash. We're looking for crash logs of applications in Windows. – Latakia 1/6, 2017 at 20:43

U

2

On Windows 2008 R2, I have seen application crash dumps under either

C:\Users\[Some User]\Microsoft\Windows\WER\ReportArchive

or

C:\ProgramData\Microsoft\Windows\WER\ReportArchive

I don't know how Windows decides which directory to use.

Underbid answered 25/10, 2011 at 18:24 Comment(0)

U

0

Windows 7, 64 bit, no modifications to the Registry key, the location is:

C:\Users[Current User when app crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive

Univalve answered 16/10, 2013 at 18:6 Comment(1)

In Windows 8 64 bit, this folder too: C:\ProgramData\Microsoft\Windows\WER\ReportArchive – Expose 1/10, 2014 at 13:39

Recommended topics

Hot tags