A process crashed in windows .. Crash dump location_问答_开发者

A windows process got crashed for some reason. I need to analyse the crash dump.

In Windows 2003 PC health helped us to find the crash dump file.

How to get the crash dump file locatio开发者_开发问答n in Windows 2008?

I have observed on Windows 2008 the Windows Error Reporting crash dumps get staged in the folder:

C:\Users\All Users\Microsoft\Windows\WER\ReportQueue

Which, starting with Windows Vista, is an alias for:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Maybe useful (Powershell)

http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/

From Windows Vista and Windows Server 2008 onwards Microsoft introduced Windows Error Reporting or WER . This allows the server to be configured to automatically enable the generation and capture of Application Crash dumps. The configuration of this is discussed here . The main problem with the default configuration is the dump files are created and stored in the %APPDATA%\crashdumps folder running the process which can make it awkward to collect dumps as they are spread all over the server. There are additional problems with this as but the main problem I always had with it was that its a simple task that is very repetitive but easy to do incorrectly.

Source code in Powershell (should be useful source code in C# too):

$verifydumpkey = Test-Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\LocalDumps"
 
    if ($verifydumpkey -eq $false )
    {
    New-Item -Path "HKLM:\Software\Microsoft\windows\Windows Error Reporting\" -Name LocalDumps
    }
 
##### adding the values
 
$dumpkey = "HKLM:\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps"
 
New-ItemProperty $dumpkey -Name "DumpFolder" -Value $Folder -PropertyType "ExpandString" -Force
New-ItemProperty $dumpkey -Name "DumpCount" -Value 10 -PropertyType "Dword" -Force
New-ItemProperty $dumpkey -Name "DumpType" -Value 2 -PropertyType "Dword" -Force

WER -Windows Error Reporting- Folders:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

%localappdata%\Microsoft\Windows\WER

%LOCALAPPDATA%\CrashDumps

C:\Users[Current User when app> crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive

C:\ProgramData\Microsoft\Windows\WER\ReportArchive

c:\Users\All Users\Microsoft\Windows\WER\ReportQueue\

BSOD Crash

%WINDIR%\Minidump

%WINDIR%\MEMORY.DMP

Sources:
http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
http://support.microsoft.com/kb/931673
https://support2.microsoft.com/kb/931673?wa=wsignin1.0

The location is in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

Source: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx

http://support.microsoft.com/kb/931673

There are Registry changes you can make to explicitly select where the crash dump file resides, otherwise %localappdata%\Microsoft\Windows\WER is the default location. I assume that %localappdata% is defined differently for a user or a service running under System. You will need to enable WER I believe.

a core dump is usually only made when the Windows kernel crashes (aka blue screen). A servicecrash will most of the times only leave some logging behind (in the event viewer probably).

If it is the bluescreen crash dump you are looking for, look in C:\Windows\Minidump or C:\windows\MEMORY.DMP

On Windows 2008 R2, I have seen application crash dumps under either

C:\Users\[Some User]\Microsoft\Windows\WER\ReportArchive

C:\ProgramData\Microsoft\Windows\WER\ReportArchive

I don't know how Windows decides which directory to use.

Windows 7, 64 bit, no modifications to the Registry key, the location is:

C:\Users[Current User when app crashed]\AppData\Local\Microsoft\Windows\WER\ReportArchive