A process crashed in windows .. Crash dump location

A windows process got crashed for some reason. I need to analyse the crash dump.

In Windows 2003 PC health helped us to find the crash dump file.

How to get the crash dump file location in Windows 2008?

7 Answers
7

I have observed on Windows 2008 the Windows Error Reporting crash dumps get staged in the folder:

C:UsersAll UsersMicrosoftWindowsWERReportQueue

Which, starting with Windows Vista, is an alias for:

C:ProgramDataMicrosoftWindowsWERReportQueue

Maybe useful (Powershell)

http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/

From Windows Vista and Windows Server 2008 onwards Microsoft
introduced Windows Error Reporting or WER . This allows the server to
be configured to automatically enable the generation and capture of
Application Crash dumps. The configuration of this is discussed here .
The main problem with the default configuration is the dump files are
created and stored in the %APPDATA%crashdumps folder running the
process which can make it awkward to collect dumps as they are spread
all over the server. There are additional problems with this as but
the main problem I always had with it was that its a simple task that
is very repetitive but easy to do incorrectly.

Source code in Powershell (should be useful source code in C# too):

$verifydumpkey = Test-Path "HKLM:SoftwareMicrosoftwindowsWindows Error ReportingLocalDumps"

if ($verifydumpkey -eq $false )
{
New-Item -Path "HKLM:SoftwareMicrosoftwindowsWindows Error Reporting" -Name LocalDumps
}

##### adding the values

$dumpkey = "HKLM:SoftwareMicrosoftWindowsWindows Error ReportingLocalDumps"

New-ItemProperty $dumpkey -Name "DumpFolder" -Value $Folder -PropertyType "ExpandString" -Force
New-ItemProperty $dumpkey -Name "DumpCount" -Value 10 -PropertyType "Dword" -Force
New-ItemProperty $dumpkey -Name "DumpType" -Value 2 -PropertyType "Dword" -Force


WER -Windows Error Reporting- Folders:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps

%localappdata%MicrosoftWindowsWER

%LOCALAPPDATA%CrashDumps

C:Users[Current User when app> crashed]AppDataLocalMicrosoftWindowsWERReportArchive

C:ProgramDataMicrosoftWindowsWERReportArchive

c:UsersAll UsersMicrosoftWindowsWERReportQueue

BSOD Crash

%WINDIR%Minidump

%WINDIR%MEMORY.DMP

Sources:
http://sbrennan.net/2012/10/21/configuring-application-crash-dumps-with-powershell/
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
http://support.microsoft.com/kb/931673
https://support2.microsoft.com/kb/931673?wa=wsignin1.0

The location is in the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps

Source: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx

http://support.microsoft.com/kb/931673

There are Registry changes you can make to explicitly select where the crash dump file resides, otherwise %localappdata%MicrosoftWindowsWER is the default location. I assume that %localappdata% is defined differently for a user or a service running under System. You will need to enable WER I believe.

On Windows 2008 R2, I have seen application crash dumps under either

C:Users[Some User]MicrosoftWindowsWERReportArchive

or

C:ProgramDataMicrosoftWindowsWERReportArchive

I don't know how Windows decides which directory to use.

a core dump is usually only made when the Windows kernel crashes (aka blue screen). A servicecrash will most of the times only leave some logging behind (in the event viewer probably).

If it is the bluescreen crash dump you are looking for, look in C:WindowsMinidump or C:windowsMEMORY.DMP

Windows 7, 64 bit, no modifications to the Registry key, the location is:

C:Users[Current User when app crashed]AppDataLocalMicrosoftWindowsWERReportArchive

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.