Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Windows Error Reporting Service is disabled still getting WerFault instance in kerneldump.

rahulpathak2002rahulpathak2002 Member Posts: 6

Hi All,
I have a BSOD dump:
1: kd> !dumptype
!dumptype
C:\RP_Local\Issues\mxxdat\Cases\xxxxxxx\MEMORY.DMP
Mini
TYPE: e4e9d050

I can also see that wersvc is disabled:

 1: kd> !reg q \REGISTRY\MACHINE\System\ControlSet001\services\WERSVC  
   …
[ValueType]         [ValueName]                   [ValueData]
REG_SZ              DisplayName                   Windows Error Reporting Service
REG_DWORD           ErrorControl                  0
REG_EXPAND_SZ       ImagePath                     %SystemRoot%\System32\svchost.exe -k WerSvcGroup
REG_DWORD           Start                         4

And I can also see following werfault process in dump. So my query is that it is possible that even after Windows Error Reporting Service being disabled , Werfault could be invoked by some other process.

PROCESS ffffdf8700a40080
SessionId: 1 Cid: 1c74 Peb: 005d1000 ParentCid: 1bf4
DirBase: 4cdca002 ObjectTable: ffffb50a70747600 HandleCount:
Image: WerFault.exe

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,403

    You present pretty good evidence that it can. You did see that the WerFault executable is not what the service launches, right?

    Why would you disable the WERSVC?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • rahulpathak2002rahulpathak2002 Member Posts: 6

    hi Tim_Roberts, Yes WERSVC was not launching Werfault, Actually werfault is launched by iexplorer.exe. My question is that as per my understanding it is WERSVC which directs/invokes werfault in case of any exception is occured in a process but here as we can see WERSVC is in disabled state so how come werfault is being launched by some process. Or is there something else that I am missing regarding WERSVC and werfault.
    Thanks

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,403

    I don't know. Why do you care?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • rahulpathak2002rahulpathak2002 Member Posts: 6

    Hi Tim_Roberts, I am trying to get the underlying concept of WERSVC and Werfault and whether do they work independently as in this case. Like werfault was invoked event if WERSVC is disabled . So here my concern is to understand the WerFault and WERSVC behavior. Thanks

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,403

    The term "Windows error" has many different meanings. There might be no relationship at all between these two modules. The "Windows error service" helps to diagnose system and app crashes by phoning home to Redmond to look up potential solutions based on crash signatures. Maybe (and I am just making this up) the "werfault" module just saves crash dumps and makes error log entries. That's my guess.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • rahulpathak2002rahulpathak2002 Member Posts: 6

    Thanks for your inputs.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA