Windows Error Reporting: Difference between revisions

'''Windows Error Reporting''' ('''WER''') (codenamed Watson) is a [[crash reporter|crash reporting]] technology introduced by [[Microsoft]] with [[Windows&nbsp;XP]]<ref name="whatisit">[http://blogs.msdn.com/b/wer/archive/2008/12/26/what-are-wer-services.aspx What are WER Services?]</ref> and included in later Windows versions and [[Windows Mobile]] 5.0 and 6.0. Not to be confused with the [[Dr. Watson (debugger)|Dr. Watson]] debugging tool which left the memory dump on the user's local machine, Windows Error Reporting collects and offers to send post-error [[debug]] information (a [[Core dump|memory dump]]) using the Internet to the [[Microsoft]] when an application crashes or stops responding on a user's desktop. No data is sent without the user's consent.<ref>[http://blogs.msdn.com/b/wer/archive/2009/03/11/an-overview-of-wer-consent-settings-and-corresponding-ui-behavior.aspx An overview of WER consent settings and corresponding UI behavior]</ref> When a crash dump (or other error signature information) reaches the Microsoft server, it is analyzed, and information about a solution is sent back to the user when one isif available. Solutions are served using Windows Error Reporting Responses. Windows Error Reporting runs as a [[Windows service]] and can optionally be entirely disabled.
<ref>[https://xxsolution.com/ If0x0 Windows0x0 ErrorSolution]</ref>
Kinshuman ReportingKinshumann itself crashes, then an error report thatis the original crashedarchitect processof producedWER. cannotWER bewas sentalso atincluded all. Kinshuman isin the original[[Association designerfor ofComputing WindowsMachinery|Association Errorfor ReportingComputing inMachinery Vista(ACM)]] whichhall isof thefame samefor designits andimpact implementationon thatthe is present in current Windowscomputing versionsindustry.
<ref>[http://m.cacm.acm.org/magazines/2011/7/109883-debugging-in-the-very-large/abstract Debugging in the (Very) Large: Ten Years of Implementation and Experience]</ref>

[[Microsoft]] first introduced Windows Error Reporting with [[Windows XP]].<ref name="whatisthisritollanasawhatisit" /> It was added during early Beta 1 development in build 2250 as Exception Reporting, and was renamed to Error Reporting in build 2267.

Windows Error Reporting was improved significantly in [[Windows&nbsp;Vista]]., Most importantly a new set ofwhen public [[API]]s have beenwere createdintroduced for reporting failures other than application crashes and hangs.<ref>[http://msdn2.microsoft.com/en-us/library/bb513635.aspx WER APIs]</ref> DevelopersUsing the new APIs, as documented on MSDN, developers can create custom reports and customize the reporting user interface. The new APIs are documented in MSDN. The architecture of Windows Error Reporting haswas beenalso revamped with a focus on reliability and user experience. For example, WER can now report errors even whenfrom the process isprocesses in a very bad state for example if the processstates hassuch encounteredas [[stack (data structure)#Runtime memory management|stack]] exhaustions, PEB/TEB corruptions, and [[heap corruption]]s, etc.conditions Inwhich earlierin OSsreleases prior to Windows&nbsp; Vista, thewould processhave usuallyresulted terminatedin silentlysilent withoutprogram generatingtermination anwith no error report in these conditions. A new [[Control Panel (Windows)|Control Panel]] applet, "Problem Reports and Solutions" was also introduced, keeping a record of system and application errors and issues, as well as presenting probable solutions to problems.

The Problem Reports and Solutions [[Control Panel (Windows)|Control Panel]] applet was replaced by the Maintenance section of the [[WindowsSecurity and Maintenance|Action Center]] on [[Windows 7]] and [[Windows Server 2008 R2|Server 2008 R2]].

* OS Exception Code<ref>{{cite web | url=https://msdn.microsoft.com/en-us/library/cc704588.aspx | title=NTSTATUS values | publisher=Microsoft | accessdateaccess-date=2015-06-08}}</ref><ref>{{cite web | url=https://msdn.microsoft.com/en-us/library/hh994433.aspx | title=Bug Check Code Reference | publisher=Microsoft | accessdateaccess-date=2015-06-08}}</ref>/System Error Code,<ref>{{cite web | url=https://msdn.microsoft.com/en-us/library/ms681381.aspx | title=System Error Codes (Windows) | publisher=Microsoft | accessdateaccess-date=2015-06-08}}</ref><ref>{{cite web | url=https://msdn.microsoft.com/en-us/library/cc704587.aspx | title=HRESULT Values | publisher=Microsoft | accessdateaccess-date=2015-06-08}}</ref>

Ideally, each bucket contains crash reports that are caused by theone sameand bugonly one root cause. However, there are twoinstances formswhere ofthis weaknessideal inone-to-one themapping WERis bucketing:not weaknessesthe incase. theFirst, condensingthe heuristics, whichthat resultgroup infailures mappingcan reportsresult fromin a bugsingle intofailure's toobeing manyattributed to multiple buckets.; Forfor exampleinstance, ifeach youtime compile youran application onewith morea timefailure withoutis anyrecompiled, changesthe Moduleapplication Buildwill Datehave willa changesnew howeverModule Build Date, and sameresulting crashfailures will bethen placedmap to anothermultiple bucketbuckets. AndSecond, weaknessesbecause inonly certain information about the expandingfailure heuristics,state whichis resultfactored ininto mappingthe morebucketing thanalgorithm, onemultiple bugdistinct intobugs thecan samebe mapped to a single bucket.; Forfor exampleinstance, if twoan differentapplication bugscalls crasha insidesingle function like [[strlen]] functionwith strings corrupted in different ways by different underlying code defects, the failures could map to the same bucket because they callappear itto withbe corruptedcrashes stringin therethe willsame befunction onlyfrom onethe bucketsame forapplication, bothetc. This occurs because the bucket is generated on the Windows OS client without performing any symbol analysis on the memory dump.: The module that is picked by the Windows Error Reporting client is the module at the top of the stack. Investigations of many reports result in a faulting module that is different from the original bucket determination.<ref>[http://blogs.msdn.com/b/wer/archive/2011/08/08/the-only-thing-constant-is-change-part-1.aspx MSDN Blogs > WER Services > The only thing constant is change – Part 1]</ref>

Software & hardware manufacturers may access their error reports using Microsoft's [[Windows Dev Center]] Hardware and Desktop Dashboard (formerly [[Winqual]]) program.<ref>[{{Cite web |url=https://sysdev.microsoft.com/ |title=SysDev (was Winqual) website] |access-date=2012-11-07 |archive-date=2018-08-03 |archive-url=https://web.archive.org/web/20180803125334/http://sysdev.microsoft.com/ |url-status=dead }}</ref> In order to ensure that error reporting data only goes to the engineers responsible for the product, Microsoft requires that interested vendors obtain a [[VeriSign]] Class 3 Digital ID or [[DigiCert]] certificate.<ref>[http://msdn.microsoft.com/en-us/library/windows/hardware/br230783.aspx Update a code signing certificate]</ref> Digital certificates provided by cheaper providers (such as [[Thawte]], [[Comodo Group|Comodo]], [[GlobalSign]], [[GeoTrust]], [[Cybertrust]], [[Entrust]], [[GoDaddy]], [[QuoVadis]], [[Trustwave]], [[SecureTrust]], [[Wells Fargo]]) are not accepted.<ref>[http://blogs.technet.com/b/empower/archive/2007/05/15/introducing-windows-error-reporting.aspx Introducing Windows Error Reporting]</ref><ref>[http://idvlpsw.wordpress.com/2008/03/08/winqual-registration-head-aches/ WinQual Registration Head Aches]</ref><ref>[http://social.msdn.microsoft.com/forums/en-US/windowscompatibility/thread/37cc820e-d715-44b2-a7bd-a7fe47f6f13e/ Microsoft Support Forum: WER with Thawte authenticode signed app]</ref><ref>[https://archive.today/20120707011358/http://blogs.msdn.com/oldnewthing/archive/2005/08/10/449865.aspx The Old New Thing: How can a company get access to Windows Error Reporting data?]</ref><ref>[http://successfulsoftware.net/2008/02/27/the-great-digital-certificate-ripoff/ The great digital certificate ripoff?]</ref>

Microsoft has reported that data collected from Windows Error Reporting has made a huge difference in the way software is developed internally. For instance, in 2002, [[Steve Ballmer]] noted that error reports enabled the Windows team to fix 29% of all Windows&nbsp;XP errors with Windows XP SP1. Over half of all [[Microsoft Office]] XP errors were fixed with Office XP SP2.<ref>[http://www.microsoft.com/mscorp/execmail/2002/10-02customers.mspx Steve Ballmer's letter: Connecting to customers]</ref> Success is based in part on the [[pareto principle|80/20 rule]]. Error reporting data reveals that there is a small set of bugs that is responsible for the vast majority of the problems users see. Fixing 20% of code defects can eliminate 80% or more of the problems users encounter. An article in the [[New York Times]] confirmed that error reporting data had been instrumental in fixing problems seen in the beta releases of Windows&nbsp;Vista and [[Microsoft Office 2007]].<ref>[{{cite news |title=A Challenge for Exterminators (Published 2006) |work=The New York Times |date=9 October 2006 |url=https://www.nytimes.com/2006/10/09/technology/09vista.html?_r=1&oref=slogin&pagewanted=print A|last1=Markoff challenge for|first1=John exterminators]}}</ref>

Although Microsoft has made privacy assurances, they acknowledge that [[personally identifiable information]] could be contained in the memory and application data compiled in the 100-200&nbsp;KB "minidumps" that Windows Error Reporting compiles and sends back to Microsoft. They insist that in case personal data is sent to Microsoft, it won't be used to identify users, according to Microsoft's [[privacy policy]].<ref>[{{Cite web |url=http://oca.microsoft.com/en/dcp20.asp |title=Microsoft Privacy Statement for Error Reporting] |access-date=2007-10-07 |archive-date=2012-10-10 |archive-url=https://web.archive.org/web/20121010075211/http://oca.microsoft.com/en/dcp20.asp |url-status=dead }}</ref><ref>[http://support.microsoft.com/kb/283768/ Description of the end user privacy policy in application error reporting when you are using Office]</ref> But in reporting issues to Microsoft, users need to trust Microsoft's partners as well. About 450 partners have been granted access to the error reporting database to see records related to their [[device driver]]s and apps.<ref>{{cite web | url = https://rcpmag.com/articles/2002/10/03/microsoft-error-reporting-drives-bug-fixing-efforts.aspx | title = Microsoft Error Reporting Drives Bug Fixing Efforts | last = Bekker | first = Scott | date = 3 October 2002 | website = Redmond Partner Channel | publisher = 1105 Redmond Media Group}}</ref>

Older versions of WER send data without encryption; only WER from [[Windows 8]] uses TLS encryption.<ref name="wsense2013-12"/> In March 2014, Microsoft released an update (KB2929733) for Windows Vista, 7 and Server 2008 that encrypts the first stage of WER.<ref>{{cite web|title=The first stage of the WER protocol is not SSL encrypted in Windows|url=http://support.microsoft.com/kb/2929733|publisher=Microsoft|accessdateaccess-date=10 January 2015|date=11 March 2014}}</ref>

In December 2013, an independent lab found that WER automatically sends information to Microsoft when a new USB device is plugged to the PC.<ref name="wsense2013-12">{{cite web|url=httphttps://communitywww.websenseforcepoint.com/blogsblog/securitylabssecurity-labs/archive/2013/12/29/drare-watson.aspxyour-windows-error-reports-leaking-data|title=Are Your Windows Error Reports Leaking Data? |date=29 Dec 2013 |publisher=Websense Security Labs|accessdateaccess-date=4 January 2014}}</ref>