Windows Error Reporting Service is disabled still getting WerFault instance in kerneldump.

Hi All,
I have a BSOD dump:
1: kd> !dumptype
!dumptype
C:\RP_Local\Issues\mxxdat\Cases\xxxxxxx\MEMORY.DMP
Mini
TYPE: e4e9d050

I can also see that wersvc is disabled:

 1: kd> !reg q \REGISTRY\MACHINE\System\ControlSet001\services\WERSVC  
   …
[ValueType]         [ValueName]                   [ValueData]
REG_SZ              DisplayName                   Windows Error Reporting Service
REG_DWORD           ErrorControl                  0
REG_EXPAND_SZ       ImagePath                     %SystemRoot%\System32\svchost.exe -k WerSvcGroup
REG_DWORD           Start                         4

And I can also see following werfault process in dump. So my query is that it is possible that even after Windows Error Reporting Service being disabled , Werfault could be invoked by some other process.

PROCESS ffffdf8700a40080
SessionId: 1 Cid: 1c74 Peb: 005d1000 ParentCid: 1bf4
DirBase: 4cdca002 ObjectTable: ffffb50a70747600 HandleCount:
Image: WerFault.exe

You present pretty good evidence that it can. You did see that the WerFault executable is not what the service launches, right?

Why would you disable the WERSVC?

hi Tim_Roberts, Yes WERSVC was not launching Werfault, Actually werfault is launched by iexplorer.exe. My question is that as per my understanding it is WERSVC which directs/invokes werfault in case of any exception is occured in a process but here as we can see WERSVC is in disabled state so how come werfault is being launched by some process. Or is there something else that I am missing regarding WERSVC and werfault.
Thanks

I don’t know. Why do you care?

Hi Tim_Roberts, I am trying to get the underlying concept of WERSVC and Werfault and whether do they work independently as in this case. Like werfault was invoked event if WERSVC is disabled . So here my concern is to understand the WerFault and WERSVC behavior. Thanks

The term “Windows error” has many different meanings. There might be no relationship at all between these two modules. The “Windows error service” helps to diagnose system and app crashes by phoning home to Redmond to look up potential solutions based on crash signatures. Maybe (and I am just making this up) the “werfault” module just saves crash dumps and makes error log entries. That’s my guess.

Thanks for your inputs.