Windows error reporting path

Служба Windows Error Reporting (WER) служит для сбора и отправки отладочной информации о падении системных и сторонних приложений в Windows на сервера Microsoft. По задумке Microsoft, эта информация должна анализироваться и при наличии решения, вариант исправления проблемы должен отправляется пользователю через Windows Error Reporting Response. Но по факту мало кто пользуется этим функционалом, хотя Microsoft настойчиво оставляет службу сбора ошибок WER включенной по умолчанию во всех последних версиях Windows. В большинстве случае о службе WER вспоминают, когда каталог C:ProgramDataMicrosoftWindowsWERReportQueue начинает занимать много места на системном диске (вплоть до нескольких десятков Гб), даже не смотря на то что на этом каталоге по умолчанию включена NTFS компрессия.

Служба Windows Error Reporting

Служба Windows Error Reporting при появлении ошибки показывает диалоговое окно, предлагающее отправить отчет об ошибке в корпорацию Microsoft. Когда в Windows вы видите сообщение об ошибке
YourApp has stop working
, в это время в служба Windows Error Reporting запускает утилиту WerFault.exe для сбора отладочных данных (могут включать в себя дамп памяти).

Данные пользователя сохраняются в профиль пользователя:

%USERPROFILE%AppDataLocalMicrosoftWindowswer

Системные данные – в системный каталог:

%ALLUSERSPROFILE%MicrosoftWindowsWER

Служба Windows Error Reporting представляет собой отдельный сервис Windows. Вы можете проверить состояние службы командой PowerShell:

Get-Service WerSvc

Внутри каталога WERReportQueue содержится множество каталогов, с именами в формате:

• Critical_6.3.9600.18384_{ID}_00000000_cab_3222bf78
• Critical_powershell.exe_{ID}_cab_271e13c0
• Critical_sqlservr.exe__{ID}_cab_b3a19651
• NonCritical_7.9.9600.18235__{ID}_0bfcb07a
• AppCrash_cmd.exe_{ID}_bda769bf_37d3b403

Как вы видите, имя каталога содержит степень критичности события и имя конкретного exe файла, который завершился аварийно. Во всех каталогах обязательно имеется файл Report.wer, который содержит описание ошибок и несколько файлов с дополнительной информацией.

Очистка папки WERReportQueue в Windows

Как правило, размер каждой папки в WER незначителен, но в некоторых случаях для проблемного процесса генерируется дамп памяти, который занимает довольно много места. На скриншоте ниже видно, что размер файла дампа memory.hdmp составляет около 610 Мб. Парочка таким дампов – и на диске исчезло несколько свободных гигибайт.

Чтобы очистить все эти ошибки и журналы штатными средствами, откройте панель управления и перейдите в раздел ControlPanel -> System and Security -> Security and Maintenance -> Maintenance -> View reliability history -> View all problem reports (Control PanelSystem and SecuritySecurity and MaintenanceProblem Reports) и нажмите на кнопку Clear all problem reports.

Для быстрого освобождения места на диске от файлов отладки, сгенерированных службой WER, содержимое следующих каталогов можно безболезненно очистить вручную.

• C:ProgramDataMicrosoftWindowsWERReportArchive
• C:ProgramDataMicrosoftWindowsWERReportQueue

Следующие команды PowerShell удалят из каталога каталогов WER все файлы, старше 15 дней:

Get-ChildItem -Path  'C:ProgramDataMicrosoftWindowsWERReportArchive' -Recurse | Where-Object CreationTime -lt (Get-Date).AddDays(-15) | Remove-Item -force -Recurse
Get-ChildItem -Path  'C:ProgramDataMicrosoftWindowsWERReportQueue' -Recurse | Where-Object CreationTime -lt (Get-Date).AddDays(-15) | Remove-Item -force –Recurse

Для очистки каталогов WER в пользовательских профилях используйте такой скрипт:

$users = Get-ChildItem c:users|where{$_.name -notmatch 'Public|default'}
foreach ($user in $users){
Get-ChildItem "C:Users$UserAppDataLocalMicrosoftWindowsWER " –Recurse -ErrorAction SilentlyContinue | Remove-Item –force –Recurse
}

Отключение Window Error Reporting в Windows Server

В Windows Server 2019/2016/2012R2 вы можете управлять состоянием WER с помощью PowerShell. Вы можете отключить службу Windows Error Reporting:

Get-Service WerSvc| stop-service –passthru -force
Set-Service WerSvc –startuptype manual –passthru

Но есть более корректные способы отключения WER в Windows. В версии PowerShell 4.0 добавлен отдельный модуль WindowsErrorReporting из трех командлетов:

Get-Command -Module WindowsErrorReporting

Проверить состояние службы Windows Error Reporting можно командой:

Get-WindowsErrorReporting

Для отключения WER, выполните:

Disable-WindowsErrorReporting

В Windows Server 2012 R2 можно отключить запись информации об ошибках Windows Error Reporting через панель управления (Control Panel -> System and Security -> Action Center -> раздел Maintenance -> Settings -> выберите опцию I don’t want to participate, and don’t ask me again

Отключаем сбор и отправки отчетов об ошибках в Windows 10

В Windows 10 нельзя отключить Error Reporting через панель управления. В графическогм интерфейсе можно только проверить ее статус (Система и безопасность ->Центр безопасности и обслуживания -> секция Обслуживание). Как вы видите, по умолчанию параметр Поиск решения для указанных в отчетах проблем включен (Control Panel -> System and Security -> Security and Maintenance -> Maintenance -> Report problems = On).

HKLMSOFTWAREMicrosoftWindowsWindows Error Reporting нужно создать новый параметр типа DWORD (32 бита) с именем Disabled и значением 1.

Можно отключить сбор ошибок WER для конкретных пользователей:

reg add "HKCUSoftwareMicrosoftWindowsWindows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f

Или отключить WER для всех:
reg add "HKLMSoftwareMicrosoftWindowsWindows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f

Измените параметр реестра и проверьте статус параметра Поиск решения для указанных в отчетах проблем в панели управления. Его статус должен изменится на Отключено.

Отключение Windows Error Reporting через GPO

Также вы можете управлять настройками службы Windows Error Reporting через групповые политики.

Запустите редактор локальной (
gpedit.msc
) или доменной GPO (
gpmc.msc
) и перейдите в ветку реестра Computer Configuration -> Administrative Templates -> Windows Components -> Windows Error Reporting (Компоненты Windows -> Отчеты об ошибках Windows). Для отключения сбора и отправки ошибок через WER включите политику Disable Windows Error Reporting (Отключить отчеты об ошибках Windows).

Аналогичная политика есть в пользовательском разделе политик (User Configuration).

Обновите GPO (перезагрузка не потребуется).

В результате в Windows перестанут формироваться сообщения об ошибках Windows и отправляться в Microsoft.

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Windows Error Reporting (WER) is a Windows function that captures the data of software crashes and can report this information to software vendors via Microsoft’s Winqual service. In this Windows Error Reporting series, I will explain how WER works, how you can access the information in WER files, and how you can disable Windows Error Reporting.

Windows Error Reporting has been available since Windows XP, although changes have been introduced in Vista and Windows 7. Whenever a Windows application crashes, a WER file is created, which contains valuable information that can help you analyze why the crash happened.

While software vendors have to sign up to Microsoft’s Winqual service to access the crash data from their customers, admins can access it by opening the .wer files, which are simple text files that Windows stores at different locations. In some cases, the problem description will help you to understand why an application crashed.

However, it is often only the developer who will really understands the contents of the .wer file. But, you can’t go wrong having a look at these files before you decide whether you want to enable or disable Windows Error Reporting (if you are worried that confidential data will be sent to third parties). Furthermore, you can also send the files to the support service of your software or hardware vendor in the hope that they can figure out what went wrong.

In Windows 7, Windows Error Reporting files can be stored in a subfolder somewhere deep down in the ProgramData or User directory. The name of the subfolder is simply WER, and the file extension is .wer.

You can use Windows Search or another desktop search tool to locate them all. However, the information in these .wer files can also be accessed through the Windows Action Center (Control PanelSystem and SecurityAction Center).

You’ll find a list of all crash reports behind the link «View problems to report» in the Maintenance section. If you type «view problems» in the Windows Start Menu search prompt, you will probably get quicker access the Action Center applet. Clicking on «View technical details», will then display the information in the corresponding .wer file.

In Vista, you have to type «problems» in the Windows Start Menu search prompt and then click on «Problems and Reports and Solutions». The list of .wer files is behind the «View problem history» link. To view the contents of the .wer file, you have to right click on one of the entries.

In the next post of my Windows Error Reporting series, I will review the free tool AppCrashView, which has some additional useful features for accessing the information in .wer files.

title	description	ms.author	author	ms.date	ms.topic
Troubleshooting a Failover Cluster using Windows Error Reporting	Troubleshooting a Failover Cluster using WER Reports, with specific details on how to gather reports and diagnose common issues.	johnmar	JohnMarlin-MSFT	10/21/2021	troubleshooting

Troubleshooting a Failover Cluster using Windows Error Reporting

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server, Azure Stack HCI, versions 21H2 and 20H2

Windows Error Reporting (WER) is a flexible event-based feedback infrastructure designed to help advanced administrators or Tier 3 support gather information about the hardware and software problems that Windows can detect, report the information to Microsoft, and provide users with any available solutions. This reference provides descriptions and syntax for all WindowsErrorReporting cmdlets.

The information on troubleshooting presented below will be helpful for troubleshooting advanced issues that have been escalated and that may require data to be sent to Microsoft for triaging.

Enabling event channels

When Windows Server is installed, many event channels are enabled by default. But sometimes when diagnosing an issue, we want to be able to enable some of these event channels since it will help in triaging and diagnosing system issues.

You could enable additional event channels on each server node in your cluster as needed; however, this approach presents two problems:

1. You have to remember to enable the same event channels on every new server node that you add to your cluster.
2. When diagnosing, it can be tedious to enable specific event channels, reproduce the error, and repeat this process until you root cause.

To avoid these issues, you can enable event channels on cluster startup. The list of enabled event channels on your cluster can be configured using the public property EnabledEventLogs. By default, the following event channels are enabled:

PS C:Windowssystem32> (get-cluster).EnabledEventLogs

Here’s an example of the output:

Microsoft-Windows-Hyper-V-VmSwitch-Diagnostic,4,0xFFFFFFFD
Microsoft-Windows-SMBDirect/Debug,4
Microsoft-Windows-SMBServer/Analytic
Microsoft-Windows-Kernel-LiveDump/Analytic

The EnabledEventLogs property is a multistring, where each string is in the form: channel-name, log-level, keyword-mask. The keyword-mask can be a hexadecimal (prefix 0x), octal (prefix 0), or decimal number (no prefix) number. For instance, to add a new event channel to the list and to configure both log-level and keyword-mask you can run:

(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,2,321"

If you want to set the log-level but keep the keyword-mask at its default value, you can use either of the following commands:

(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,2"
(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,2,"

If you want to keep the log-level at its default value, but set the keyword-mask you can run the following command:

(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,,0xf1"

If you want to keep both the log-level and the keyword-mask at their default values, you can run any of the following commands:

(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic"
(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,"
(get-cluster).EnabledEventLogs += "Microsoft-Windows-WinINet/Analytic,,"

These event channels will be enabled on every cluster node when the cluster service starts or whenever the EnabledEventLogs property is changed.

Gathering Logs

After you have enabled event channels, you can use the DumpLogQuery to gather logs. The public resource type property DumpLogQuery is a mutistring value. Each string is an XPATH query as described here.

When troubleshooting, if you need to collect additional event channels, you can a modify the DumpLogQuery property by adding additional queries or modifying the list.

To do this, first test your XPATH query using the get-WinEvent PowerShell cmdlet:

get-WinEvent -FilterXML "<QueryList><Query><Select Path='Microsoft-Windows-GroupPolicy/Operational'>*[System[TimeCreated[timediff(@SystemTime) &gt;= 600000]]]</Select></Query></QueryList>"

Next, append your query to the DumpLogQuery property of the resource:

(Get-ClusterResourceType -Name "Physical Disk".DumpLogQuery += "<QueryList><Query><Select Path='Microsoft-Windows-GroupPolicy/Operational'>*[System[TimeCreated[timediff(@SystemTime) &gt;= 600000]]]</Select></Query></QueryList>"

And if you want to get a list of queries to use, run:

(Get-ClusterResourceType -Name "Physical Disk").DumpLogQuery

Gathering Windows Error Reporting reports

Windows Error Reporting Reports are stored in %ProgramData%MicrosoftWindowsWER

Inside the WER folder, the ReportsQueue folder contains reports that are waiting to be uploaded to Watson.

PS C:Windowssystem32> dir c:ProgramDataMicrosoftWindowsWERReportQueue

Here’s an example of the output:

Volume in drive C is INSTALLTO
Volume Serial Number is 4031-E397

Directory of C:ProgramDataMicrosoftWindowsWERReportQueue

<date>  <time>    <DIR>          .
<date>  <time>    <DIR>          ..
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_02d10a3f
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_0588dd06
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_10d55ef5
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_13258c8c
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_13a8c4ac
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_13dcf4d3
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_1721a0b0
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_1839758a
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_1d4131cb
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_23551d79
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_2468ad4c
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_255d4d61
<date>  <time>    <DIR>          Critical_Physical Disk_1cbd8ffecbc8a1a0e7819e4262e3ece2909a157a_00000000_cab_08289734
<date>  <time>    <DIR>          Critical_Physical Disk_64acaf7e4590828ae8a3ac3c8b31da9a789586d4_00000000_cab_1d94712e
<date>  <time>    <DIR>          Critical_Physical Disk_ae39f5243a104f21ac5b04a39efeac4c126754_00000000_003359cb
<date>  <time>    <DIR>          Critical_Physical Disk_ae39f5243a104f21ac5b04a39efeac4c126754_00000000_cab_1b293b17
<date>  <time>    <DIR>          Critical_Physical Disk_b46b8883d892cfa8a26263afca228b17df8133d_00000000_cab_08abc39c
<date>  <time>    <DIR>          Kernel_166_1234dacd2d1a219a3696b6e64a736408fc785cc_00000000_cab_19c8a127
               0 File(s)              0 bytes
              20 Dir(s)  23,291,658,240 bytes free

Inside the WER folder, the ReportsArchive folder contains reports that have already been uploaded to Watson. Data in these reports is deleted, but the Report.wer file persists.

PS C:Windowssystem32> dir C:ProgramDataMicrosoftWindowsWERReportArchive

Here’s an example of the output:

Volume in drive C is INSTALLTO
Volume Serial Number is 4031-E397

Directory of c:ProgramDataMicrosoftWindowsWERReportArchive

<date>  <time>    <DIR>          .
<date>  <time>    <DIR>          ..
<date>  <time>    <DIR>          Critical_powershell.exe_7dd54f49935ce48b2dd99d1c64df29a5cfb73db_00000000_cab_096cc802
               0 File(s)              0 bytes
               3 Dir(s)  23,291,658,240 bytes free

Windows Error Reporting provides many settings to customize the problem reporting experience. For further information, please refer to the Windows Error Reporting documentation.

Troubleshooting using Windows Error Reporting reports

Physical disk failed to come online

To diagnose this issue, navigate to the WER report folder:

PS C:Windowssystem32> dir C:ProgramDataMicrosoftWindowsWERReportArchiveCritical_PhysicalDisk_b46b8883d892cfa8a26263afca228b17df8133d_00000000_cab_08abc39c

Here’s an example of the output:

Volume in drive C is INSTALLTO
Volume Serial Number is 4031-E397

<date>  <time>    <DIR>          .
<date>  <time>    <DIR>          ..
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_1.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_10.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_11.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_12.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_13.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_14.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_15.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_16.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_17.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_18.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_19.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_2.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_20.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_21.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_22.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_23.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_24.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_25.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_26.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_27.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_28.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_29.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_3.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_30.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_31.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_32.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_33.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_34.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_35.evtx
<date>  <time>         2,166,784 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_36.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_37.evtx
<date>  <time>            33,194 Report.wer
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_38.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_39.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_4.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_40.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_41.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_5.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_6.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_7.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_8.evtx
<date>  <time>            69,632 CLUSWER_RHS_ERROR_8d06c544-47a4-4396-96ec-af644f45c70a_9.evtx
<date>  <time>             7,382 WERC263.tmp.WERInternalMetadata.xml
<date>  <time>            59,202 WERC36D.tmp.csv
<date>  <time>            13,340 WERC38D.tmp.txt

Next, start triaging from the Report.wer file — this will tell you what failed.

EventType=Failover_clustering_resource_error
<skip>
Sig[0].Name=ResourceType
Sig[0].Value=Physical Disk
Sig[1].Name=CallType
Sig[1].Value=ONLINERESOURCE
Sig[2].Name=RHSCallResult
Sig[2].Value=5018
Sig[3].Name=ApplicationCallResult
Sig[3].Value=999
Sig[4].Name=DumpPolicy
Sig[4].Value=5225058577
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.17051.2.0.0.400.8
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[27].Name=ResourceName
DynamicSig[27].Value=Cluster Disk 10
DynamicSig[28].Name=ReportId
DynamicSig[28].Value=8d06c544-47a4-4396-96ec-af644f45c70a
DynamicSig[29].Name=FailureTime
DynamicSig[29].Value=2017//12//12-22:38:05.485

Since the resource failed to come online, no dumps were collected, but the Windows Error Reporting report did collect logs. If you open all .evtx files using Microsoft Message Analyzer, you will see all of the information that was collected using the following queries through the system channel, application channel, failover cluster diagnostic channels, and a few other generic channels.

PS C:Windowssystem32> (Get-ClusterResourceType -Name "Physical Disk").DumpLogQuery

Here’s an example of the output:

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-ReFS/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Ntfs/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Ntfs/WHC">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Storport/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Storport/Health">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Storport/Admin">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-ClassPnP/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-ClassPnP/Admin">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-ScmBus/Certification">*[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-ScmBus/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-PmemDisk/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-NvdimmN/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-INvdimm/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-PersistentMemory-VirtualNvdimm/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Disk/Admin">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Disk/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-ScmDisk0101/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Partition/Diagnostic">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Volume/Diagnostic">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-VolumeSnapshot-Driver/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-FailoverClustering-Clusport/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-FailoverClustering-ClusBflt/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-StorageSpaces-Driver/Diagnostic">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-StorageManagement/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-StorageSpaces-Driver/Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Storage-Tiering/Admin">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Hyper-V-VmSwitch-Operational">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>
<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Hyper-V-VmSwitch-Diagnostic">*[System[TimeCreated[timediff(@SystemTime) &lt;= 600000]]]</Select></Query></QueryList>

Message Analyzer enables you to capture, display, and analyze protocol messaging traffic. It also lets you trace and assess system events and other messages from Windows components. You can download Microsoft Message Analyzer from here. When you load the logs into Message Analyzer, you will see the following providers and messages from the log channels.

You can also group by providers to get the following view:

To identify why the disk failed, navigate to the events under FailoverClustering/Diagnostic and FailoverClustering/DiagnosticVerbose. Then run the following query: EventLog.EventData[«LogString»] contains «Cluster Disk 10». This will give you give you the following output:

Physical disk timed out

To diagnose this issue, navigate to the WER report folder. The folder contains log files and dump files for RHS, clussvc.exe, and of the process that hosts the «smphost» service, as shown below:

PS C:Windowssystem32> dir C:ProgramDataMicrosoftWindowsWERReportArchiveCritical_PhysicalDisk_64acaf7e4590828ae8a3ac3c8b31da9a789586d4_00000000_cab_1d94712e

Here’s an example of the output:

Volume in drive C is INSTALLTO
Volume Serial Number is 4031-E397

<date>  <time>    <DIR>          .
<date>  <time>    <DIR>          ..
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_1.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_10.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_11.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_12.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_13.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_14.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_15.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_16.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_17.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_18.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_19.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_2.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_20.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_21.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_22.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_23.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_24.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_25.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_26.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_27.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_28.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_29.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_3.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_30.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_31.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_32.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_33.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_34.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_35.evtx
<date>  <time>         2,166,784 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_36.evtx
<date>  <time>         1,118,208 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_37.evtx
<date>  <time>        28,340,500 memory.hdmp
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_38.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_39.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_4.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_40.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_41.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_5.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_6.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_7.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_8.evtx
<date>  <time>            69,632 CLUSWER_RHS_HANG_75e60318-50c9-41e4-94d9-fb0f589cd224_9.evtx
<date>  <time>         4,466,943 minidump.0f14.mdmp
<date>  <time>         1,735,776 minidump.2200.mdmp
<date>  <time>            33,890 Report.wer
<date>  <time>            49,267 WER69FA.tmp.mdmp
<date>  <time>             5,706 WER70A2.tmp.WERInternalMetadata.xml
<date>  <time>            63,206 WER70E0.tmp.csv
<date>  <time>            13,340 WER7100.tmp.txt

Next, start triaging from the Report.wer file — this will tell you what call or resource is hanging.

EventType=Failover_clustering_resource_timeout_2
<skip>
Sig[0].Name=ResourceType
Sig[0].Value=Physical Disk
Sig[1].Name=CallType
Sig[1].Value=ONLINERESOURCE
Sig[2].Name=DumpPolicy
Sig[2].Value=5225058577
Sig[3].Name=ControlCode
Sig[3].Value=18
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.17051.2.0.0.400.8
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[26].Name=ResourceName
DynamicSig[26].Value=Cluster Disk 10
DynamicSig[27].Name=ReportId
DynamicSig[27].Value=75e60318-50c9-41e4-94d9-fb0f589cd224
DynamicSig[29].Name=HangThreadId
DynamicSig[29].Value=10008

The list of services and processes that we collect in a dump is controlled by the following property: PS C:Windowssystem32> (Get-ClusterResourceType -Name «Physical Disk»).DumpServicesSmphost

To identify why the hang happened, open the dump files. Then run the following query: EventLog.EventData[«LogString»] contains «Cluster Disk 10» This will give you give you the following output:

We can cross-examine this with the thread from the memory.hdmp file:

# 21  Id: 1d98.2718 Suspend: 0 Teb: 0000000b`f1f7b000 Unfrozen
# Child-SP          RetAddr           Call Site
00 0000000b`f3c7ec38 00007ff8`455d25ca ntdll!ZwDelayExecution+0x14
01 0000000b`f3c7ec40 00007ff8`2ef19710 KERNELBASE!SleepEx+0x9a
02 0000000b`f3c7ece0 00007ff8`3bdf7fbf clusres!ResHardDiskOnlineOrTurnOffMMThread+0x2b0
03 0000000b`f3c7f960 00007ff8`391eed34 resutils!ClusWorkerStart+0x5f
04 0000000b`f3c7f9d0 00000000`00000000 vfbasics+0xed34

The Windows Error Reporting service (WER) is used to collect the debug information about system and third-party app failures and send error reports to Microsoft servers. This information should be analyzed by MSFT and if there is a solution, it will be sent to a user through Windows Error Reporting Response. Actually, few people use this feature, although Microsoft always leaves WER service enabled by default in the latest Windows versions. In most cases, people remember about WER when they see that C:ProgramDataMicrosoftWindowsWERReportQueue occupies much space on the system drive (up to several dozens of GB) even though NTFS compression is enabled for this directory by default.

Windows Error Reporting Service

Windows Error Reporting displays a dialog box when an application error occurs, prompting you to submit an error report to Microsoft. When you see the “YourAppName.exe has stopped working, Windows is collecting more information about the problem” error message in Windows, the Windows Error Reporting service runs the WerFault.exe tool to collect debug data (may include a memory dump).

User data is saved to the user profile:

%USERPROFILE%AppDataLocalMicrosoftWindowsWER

And the system data goes to the ProgramData directory:

%ALLUSERSPROFILE%MicrosoftWindowsWER

The Windows Error Reporting service is a separate Windows service. You can check the status of the service using the PowerShell command:

Get-Service WerSvc

In the WERReportQueue directory there are a lot of folders with the names in the following format:

• Critical_6.3.9600.11285_{ID}_00000000_cab_3212dd23
• Critical_powershell.exe_{ID}_cab_332a45c5
• Critical_sqlservr.exe__{ID}_cab_b3a200181
• NonCritical_7.9.9600.11285__{ID}_0bfab19a
• AppCrash_cmd.exe_{ID}_dba332ad_12eb5425

As you can see, the directory name contains the severity level of an event and the name of the specific EXE file that has crashed. In all folders, there is a file called Report.wer, which contains the description of the errors and some files with the additional information.

How to Clear the WERReportQueue Folder on Windows?

Typically, the size of each folder is small, but in some cases a memory dump is generated for a problem process that occupies much space. The screenshot below shows that the size of memory.hdmp is about 610 MB. A couple of such dumps can occupy several gigabytes on the system drive.

To clear all these errors and logs using the built-in tools, open the Control Panel and go to System and Security -> Security and Maintenance -> Maintenance -> View reliability history -> View all problem reports, then click Clear all problem reports.

To free up some disk space quickly, you can manually delete debug and log files generated by the WER service in the following folders:

• C:ProgramDataMicrosoftWindowsWERReportArchive
• C:ProgramDataMicrosoftWindowsWERReportQueue

The following PowerShell commands will remove all files older than 30 days from the WER directories:

Get-ChildItem -Path  'C:ProgramDataMicrosoftWindowsWERReportArchive' -Recurse | Where-Object CreationTime -lt (Get-Date).AddDays(-30) | Remove-Item -Force -Recurse
Get-ChildItem -Path  'C:ProgramDataMicrosoftWindowsWERReportQueue' -Recurse | Where-Object CreationTime -lt (Get-Date).AddDays(-30) | Remove-Item -Force –Recurse

To clean up the WER directories in all user profiles, use the following PowerShell script:

$users = Get-ChildItem c:users|where{$_.name -notmatch 'Public|default'}
foreach ($user in $users){
Get-ChildItem "C:Users$UserAppDataLocalMicrosoftWindowsWER " –Recurse -ErrorAction SilentlyContinue | Remove-Item –force –Recurse
}

Disable Windows Error Reporting on Windows Server

On Windows Server 2019/2016/2012R2, you can manage WER service state using PowerShell. You can disable Windows Error Reporting service:

Get-Service WerSvc| stop-service –passthru -force
Set-Service WerSvc –startuptype manual –passthru

But there are better ways to disable WER on Windows. The PowerShell version 4.0 adds a separate WindowsErrorReporting module:

Get-Command -Module WindowsErrorReporting

You can check the status of the Windows Error Reporting service with the command:

Get-WindowsErrorReporting

To disable WER, run:

Disable-WindowsErrorReporting

On Windows Server 2012 R2 you can disable Windows Error Reporting via the control panel (Control Panel -> System and Security -> Action Center -> Maintenance -> Settings -> select I don’t want to participate, and don’t ask me again.

How to Disable or Enable Error Reporting on Windows 10?

In Windows 10 you cannot disable the Error Reporting through the Control Panel. You can check the component status in the Control Panel -> System & Security -> Security and Maintenance -> Maintenance. As you can see, the Report problems parameter is enabled.

You can disable Windows Error Reporting on Windows 10 via the registry. To do it, create a new DWORD (32-bit) parameter with the name Disabled and the value 1 under the registry key HKLMSOFTWAREMicrosoftWindowsWindows Error Reporting.

You can disable Windows error collection for specific users with the command:
reg add "HKCUSoftwareMicrosoftWindowsWindows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f

Or disable WER for everyone:
reg add "HKLMSoftwareMicrosoftWindowsWindows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f

Now let’s check the status of the Report problems parameter in the Control Panel again. It should be Off.

How to Disable Automatic Windows Error Reporting via GPO?

You can disable logging by the Windows Error Reporting service through Group Policy. Open the local (gpedit.msc) or domain GPO (gpmc.msc) editor and go to the following GPO section Computer Configuration -> Administrative Templates -> Windows Components -> Windows Error Reporting. Find the policy named Disable Windows Error Reporting and set it to Enabled. This will disable Windows data collection and error reporting.

There is a similar policy in the User Configuration section.

Update the GPO settings (no reboot required).

As a result, Windows will no longer generate application and system error messages and will no longer be sent to Microsoft.

Служба WER (Windows Error Reporting) служит для сбора и отправки отладочной информации о падении системных и сторонних приложений в Windows на сервера Microsoft. По задумке Microsoft, эта информация должна анализироваться и при наличии решения, вариант исправления проблемы должен отправляется пользователю через Windows Error Reporting Response. Но по факту мало кто пользуется этим функционалом, хотя Microsoft настойчиво оставляет службу сбора ошибок WER включенной по умолчанию во всех последних версиях Windows. В большинстве случае о службе WER вспоминают, когда каталог C:ProgramDataMicrosoftWindowsWERReportQueue начинает занимать на системном диске довольно много места (вплоть до нескольких десятков Гб).

Служба Windows Error Reporting

Служба Windows Error Reporting представляет собой отдельный сервис Windows, который можно легко отключить командой:

net stop WerSvc

Внутри каталога WERReportQueue содержится множество каталогов, с именами в формате:

• Critical_6.3.9600.18384_{ID}_00000000_cab_3222bf78
• Critical_powershell.exe_{ID}_cab_271e13c0
• Critical_sqlservr.exe__{ID}_cab_b3a19651
• NonCritical_7.9.9600.18235__{ID}_0bfcb07a
• AppCrash_cmd.exe_{ID}_bda769bf_37d3b403

Как вы видите, имя каталога содержит степень критичности события и имя конкретного exe файла, который завершился аварийно. Во всех каталогах обязательно имеется файл Report.wer, который содержит описание ошибок и несколько файлов с дополнительной информацией.

Очистка папки WERReportQueue в Windows

Как правило, размер каждой папки незначителен, но в некоторых случаях для проблемного процесса генерируется дамп памяти, который занимает довольно много места. На скриншоте ниже видно, что размер файла дампа memory.hdmp составляет около 610 Мб. Парочка таким дампов – и на диске исчезло несколько свободных гигибайт.

Чтобы очистить все эти ошибки и журналы штатными средствами, откройте панель управления и перейдите в раздел ControlPanel -> System and Security -> Action Center -> Maintenance -> View reliability history -> View all problem reports и нажмите на кнопку Clear all problem reports.

Для быстрого освобождения места на диске от файлов отладки, сгенерированных службой WER, содержимое следующих каталогов можно безболезненно удалить и руками.

• C:ProgramDataMicrosoftWindowsWERReportArchive
• C:ProgramDataMicrosoftWindowsWERReportQueue

Отключение Window Error Reporting в Windows Server 2012 R2 / 2008 R2

Отключить запись информации об ошибках Windows Error Reporting в серверных редакция Windows можно следующим образом:

Отключение функции сбора и отправки отчетов в Windows 10

В Windows 10 возможность отключить Error Reporting через GUI отсутствует. Проверить статус компонента можно в панели управления Система и безопасность ->Центр безопасности и обслуживания -> секция Обслуживание. Как вы видите, по умолчанию параметр Поиск решения для указанных в отчетах проблем включен (Control Panel -> System and Security -> Security and Maintenance -> Maintenance -> Check for solutions to problem reports).

Отключить Windows Error Reporting в Windows 10 можно через реестр. Для этого в ветке HKLMSOFTWAREMicrosoftWindowsWindows Error Reporting нужно создать новый параметр типа DWORD (32 бита) с именем Disabled и значением 1.

Теперь еще раз проверим статус параметра Поиск решения для указанных в отчетах проблем в панели управления. Его статус должен изменится на Отключено.

Отключение Windows Error Reporting через групповые политики

Ведение журналов службой Windows Error Reporting можно отключить и через групповую политику. Она находится в разделе Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting (Компоненты Windows -> Отчеты об ошибках Windows). Для отключения сбора и отправки данных включите политику Disable Windows Error Reporting (Отключить отчеты об ошибках Windows).

В результате сообщения об ошибках приложений в Windows перестанут формироваться и автоматически отправляться в Microsoft.

WER Settings

Windows Error Reporting (WER) provides many settings to customize the problem reporting experience. All of these settings can be set using Group Policy. Some can also be changed in Action Center for WindowsВ 7 and WindowsВ 8. For Windows 10, use the search function in Settings to locate View advanced system settings. WER settings are located in one of the following registry subkeys:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsWindows Error Reporting
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsWindows Error Reporting

Windows Error Reporting subkey

BypassDataThrottling

REG_DWORD

0 — Disable data bypass throttling. If the bypass is disabled or not configured as a policy setting, WER throttles data by default. WER does not upload more than one CAB file for a report that contains data about the same event types.

1 — Enable data bypass throttling. WER does not throttle data. WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.

Whether to enable the bypass of WER client data throttling

ConfigureArchive

REG_DWORD

Possible values: 1 — Parameters only (default on WindowsВ 7) 2 — All data (default on WindowsВ Vista)

Whether to archive parameters only or all data

ConsentDefaultConsent

REG_DWORD

Possible values: 1 — Always ask (default) 2 — Parameters only 3 — Parameters and safe data 4 — All data

Default consent choice

ConsentDefaultOverrideBehavior

REG_DWORD

Possible values: 0 — Vertical consent will override the default consent (default) 1 — Default consent will override the application-specific consent

Whether default consent overrides vertical consent

Consent[VerticalName]

REG_DWORD

Possible values: 1 — Always ask (default) 2 — Parameters only 3 — Parameters and safe data 4 — All data

Consent choice for the WER plug-in

CorporateWERDirectory

REG_SZ

The directory path

Target directory on the server

CorporateWERPortNumber

REG_DWORD

The port number

Port number to be used with the corporate server

CorporateWERServer

REG_SZ

The name of the server

Corporate server name

CorporateWERUseAuthentication

REG_DWORD

Possible values: 0 — No (default) 1 — Yes

Whether to use Windows Integrated Authentication

CorporateWERUseSSL

REG_DWORD

Possible values: 0 — No (default) 1 — Yes

Whether to use SSL

DebugApplications[ExeName] (replace «[ExeName]» with an actual name of an .exe file, for example, «notepad.exe»)

REG_DWORD

0 — Processes with an executable image name of **[ExeName]** do not require the user to choose **Debug** or **Continue** (default) 1 — Processes with an executable image name of **[ExeName]** require the user to choose **Debug** or **Continue**

DebugApplications* («*» is the literal value name)

REG_DWORD

0 — All processes except ones specified explicitly in the setting **DebugApplications\[ExeName]** do not require the user to choose **Debug** or **Continue** (default) 1 — All processes except ones specified explicitly in the setting **DebugApplications\[ExeName]** require the user to choose **Debug** or **Continue**

DisableArchive

REG_DWORD

Possible values: 0 — Enabled 1 — Disabled

Enable or disable the archive

Disabled

REG_DWORD

Possible values: 0 — Enabled (default) 1 — Disabled

Enable or disable WER

DisableQueue

REG_DWORD

Possible values: 0 — Enabled 1 — Disabled

Enable or disable report queuing

DontShowUI

REG_DWORD

Possible values: 0 — UI (default) 1 — No UI

Enable or disable the WER UI

DontSendAdditionalData

REG_DWORD

Possible values: 0 — Send (default) 1 — Do not send

Whether to prevent sending second-level data

ExcludedApplications[Application Name]

REG_SZ

List of excluded applications

ForceQueue

REG_DWORD

Possible values: 0 — No (default) 1 — Yes

Whether to send all reports to the user’s queue

LocalDumpsDumpFolder or LocalDumps[Application Name]DumpFolder

REG_EXPAND_SZ

The directory path. The default value is %LOCALAPPDATA%CrashDumps. If the default is not used, the application must ensure that the folder has a sufficient ACL.

WindowsВ Vista: The registry values under the LocalDumps key are not supported. Note that this behavior changed with Windows ServerВ 2008 and WindowsВ Vista with Service PackВ 1 (SP1).

The path where the dump files are to be stored.

Note that per-process settings will override any global settings that exist For more information, see Collecting User-Mode Dumps.

This setting is not supported in the HKEY_CURRENT_USER registry hive.

LocalDumpsDumpCount or LocalDumps[Application Name]DumpCount

REG_DWORD

The maximum number. The default is 10. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file.

WindowsВ Vista: The registry values under the LocalDumps key are not supported. Note that this behavior changed with Windows ServerВ 2008 and WindowsВ Vista with SP1.

The maximum number of dump files in the folder.

This setting is not supported in the HKEY_CURRENT_USER registry hive.

LocalDumpsDumpType or LocalDumps[Application Name]DumpType

REG_DWORD

Possible values: 0 — Custom dump 1 — Minidump (default) 2 — Full dump

WindowsВ Vista: The registry values under the LocalDumps key are not supported. Note that this behavior changed with Windows ServerВ 2008 and WindowsВ Vista with SP1.

This setting is not supported in the HKEY_CURRENT_USER registry hive.

LocalDumpsCustomDumpFlags or LocalDumps[Application Name]CustomDumpFlags

REG_DWORD

WindowsВ Vista: The registry values under the LocalDumps key are not supported. Note that this behavior changed with Windows ServerВ 2008 and WindowsВ Vista with SP1.

The custom dump options to be used. This value is used only when DumpType is set to 0.

This setting is not supported in the HKEY_CURRENT_USER registry hive.

LoggingDisabled

REG_DWORD

Possible values: 0–Enabled (default) 1–Disabled

Enable or disable logging

MaxArchiveCount

REG_DWORD

Range of possible values: 1–5000. The default is 1000.

Maximum size of the archive, in files

MaxQueueCount

REG_DWORD

Range of possible values: 1–500. The default is 50.

Maximum size of the queue

QueuePesterInterval

REG_DWORD

Interval between reminders to the user to check for solutions, in days

RuntimeExceptionHelperModules![ pwszOutOfProcessCallbackDll name including path]

REG_DWORD

The contents of the value are ignored.

The name of the value is used to fetch the pwszOutOfProcessCallbackDll value.

Windows ServerВ 2008, WindowsВ Vista, Windows ServerВ 2003 and WindowsВ XP: This registry value is not supported.

WER Live Kernel Reports Settings

WER’s Live Kernel Reports settings, which are described next, are both located under the following registry subkey:

For Windows 10 1703, Windows Server 2019, and later:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl

For Windows 10 builds 1607 and older, Windows 8.1, Windows Server 2016, and Windows Server 2012 R2:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error Reporting

FullLiveKernelReports subkey

ComponentThrottleThreshold

REG_DWORD

The threshold (in hours) of how often any single component can create a full live dump. This value must be greater than or equal to SystemThrottleThreshold. Setting both to zero (0) will disable all time-based throttling. The default is 168 (7 days).

FullLiveReportsMax

REG_DWORD

The maximum number of full live dumps that may be on disk at any given time. The default is 1. On Windows 10 1803, Windows Server 2019, and later, setting this value to zero (0) will disable the live dump feature.

LastFullLiveReport

REG_QWORD

A SystemTime indicating the last full live report time, for the system or a specific ReportType. This is used to calculate whether a policy threshold has been satisfied.

SystemThrottleThreshold

REG_DWORD

The threshold (in hours) of how often any component on the system can create a full live dump. The default is 120 (5 days).

LiveKernelReports subkey

LiveKernelReportsPath

REG_SZ

The redirected storage location of live kernel reports. The default location is %systemroot%LiveKernelReports. This value must be a valid path. The path must be in NT path format. For example, ??C:LiveDumpsFolder. For more information on path formats, see File path formats on Windows systems.

Источник

Для чего нужна служба «Windows Error Reporting» и как отключить ее в Windows 7, 8.1 и 10

Когда в работе какой-то программы происходит ошибка, Windows автоматически регистрирует это событие и запускает штатную утилиту Windows Error Reporting, которая формирует отчет и предлагает отправить его на сервера Microsoft. Отправка лога не осуществляется автоматически, более того, большинство пользователей предпочитают не делиться информацией о программных ошибках и были бы не прочь отключить эту функцию вообще.

В Windows 7 и 8.1 это можно сделать через графический интерфейс системы, если же вы хотите отключить Windows Error Reporting в Windows 10, нужно отредактировать один ключ в реестре или изменить значение соответствующей ему политики в редакторе gpedit.msc . Существует и универсальный способ, одинаково подходящий для всех версий Windows, но о нём будет сказано ниже.

Отключение Error Reporting в Windows 7 и 8.1

Откройте через окошко «Выполнить» ( Win + R ) Центр поддержки командой wscui.cpl апплет «Центр поддержки».

Нажмите в меню справа ссылку «Параметры центра поддержки».

На следующей странице нажмите ссылку «Параметры отчета о неполадках».

И активируйте радиокнопку «Не проверять на наличие новых решений».

Отключение Error Reporting в Windows 10

В Windows 10 опция «Параметры отчета о неполадках» была удалена из окна параметров центра поддержки, поэтому для отключения формирования отчетов о программных ошибках в этой версии системы придется действовать в обход.

Откройте через окошко «Выполнить» одноименной командой редактор реестра Regedit и раскройте ключ:

HKLMSOFTWAREMicrosoftWindowsWindows Error Reporting

Справа создайте новый DWORD -параметр.

Назовите его Disabled и задайте в качестве его значения единицу.

Сохраните настройки, закройте редактор реестра и перезагрузите компьютер.

Описание примера отключения функции Error Reporting через редактор групповых политик мы опускаем, поскольку его результат является эквивалентным применяемому твику реестра, к тому же редактор gpedit.msc доступен не всех редакциях Windows.

Универсальный способ отключения Error Reporting

Предложенный ниже способ является универсальным и одинаково работает в Windows 7, 8.1 и Windows 10.

Вызовите окошко «Выполнить» и выполните в нём команду services.msc , чтобы открыть оснастку управления службами.

Отыщите справа службу «Служба регистрации ошибок Windows», откройте ее свойства и выставьте параметры так, как показано на скриншоте после чего сохраните настройки.

Любители командной строки могут отключить ее через консоль.

Запустив командную строку или PowerShell от имени администратора и выполните в ней команду:

sc config wersvc start=disabled

gpupdate /force

Чтобы обновить политику без перезагрузки компьютера.

Источник