How to collect user-mode crash dumps with Windows Error Reporting


Note: The following procedure is the preferred method for gathering Windows debug logs for GFI MailEssentials and other products. It is only available in Windows Server 2008/Vista SP1 or higher.

This feature is not enabled by default. Enabling the feature requires administrator privileges. To enable and configure this feature, create the LocalDumps registry values under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting key:
  1. Open the Windows registry editor (Start > Run > type regedit.exe and press Enter)
  2. Make a Backup copy of the registry
  3. Navigate to following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
  4. If it does not exist, create the following key: LocalDumps
  5. In this key, add the following values:
  • Create STRING value DumpFolder with the following content: C:\test; (choose your location here). It is recommended, not to use the root folder.
  • Create DWORD32 value DumpCount – assign 10 (decimal) to it
  • Create DWORD32 value DumpType – assign 2 (decimal) to it
  • Create DWORD32 CustomDumpFlags with 0 (decimal) in it
  1. Restart the machine to apply the changes
These registry values represent the global settings. You can also provide per-application settings that override the global settings. To create a per-application setting, create a new key for your application under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps (for example, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps\MEC.MSEC.attendant.exe). Add your dump settings under the MEC.MSEC.attendant.exe key. If your application crashes, WER will first read the global settings, and then will override any of the settings with your application-specific settings.

After an application crashes and prior to its termination, the system will check the registry settings to determine whether a local dump is to be collected. After the dump collection has completed, the application will be allowed to terminate normally. If the application supports recovery, the local dump is collected before the recovery callback is called.

These dumps are configured and controlled independently of the rest of the WER infrastructure. You can make use of the local dump collection even if WER is disabled or if the user cancels WER reporting. The local dump can be different than the dump sent to Microsoft.