Application Crash Dumps "Capture"

Most administrators are familiar with the Dr. Watson for Windows tool that has been around since the days of Windows NT.  An updated version of this tool, DrWtsn32, still exists in Windows XP and Windows Server 2003 - but not in Windows Vista or Windows Server 2008.  So how do we capture user-mode dump files?  We're going to cover several […]
Most administrators are familiar with the Dr. Watson for Windows tool that has been around since the days of Windows NT.  An updated version of this tool, DrWtsn32, still exists in Windows XP and Windows Server 2003 - but not in Windows Vista or Windows Server 2008.  So how do we capture user-mode dump files?  We're going to cover several different methods for capturing dump files for User-mode application crashes.

First - let's quickly cover Dr. Watson for Windows XP and Windows Server 2003.  Dr. Watson captures user-mode dump information.  Whenever a user-mode process (such as Internet Explorer or the Print Spooler) crashes, Dr. Watson creates a text file, DrWtsn32.log.  Dr. Watson can also be configured to create a crash dump file that can be loaded into a debugger.  Let's look at the configuration for Dr. Watson.  The first thing we have to do is configure Dr. Watson as our default debugger.  To do this we run the following command: drwtsn32 -i.  What this does is modify two registry values located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug.  The values are as follows:

  • Value Name = Auto
    Type = String (REG_SZ)
    Data Value = 1 or 0. (Default is 1)
  • Value Name = Debugger
    Type = String (REG_SZ)
    Data Value = drwtsn32 -p %ld -e %ld -g
    NOTE: This data value (drwtsn32 -p %ld -e %ld -g) is specific to Dr. Watson. Alternative debuggers will have their own values and parameters.

So now that Dr. Watson is our default debugger, it's time to go set our parameters.  Run the drwtsn32 command, to bring up the configuration options shown below:

DrWtsn323[1]The first two options are fairly self-explanatory - the location in which Dr. Watson should save the Log File and Crash Dump when they are generated.  By default, this is in the All Users profile path:
drive:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Dr Watson.  If you change these locations, you must ensure that all users have write permission to the new location.  Otherwise, users will be prompted to select a location in which to save the files.

The "Number of Instructions" parameter specifies how many instructions preceding and following the faulty instruction are included in the disassembly portion of the log file.  The possible values for this parameter range from 0 to 500.  The disassembly portion includes the function being executed when the error occurred, the memory address, raw machine instruction, and decoded machine instruction for each adjacent instruction and an analysis of the faulty instruction.  The default value is 10 (0xA in Hexadecimal).

The "Number of Errors to Save" parameter specified how many errors should be maintained in its application error viewer and in the Event Viewer application log.  By default, this value is 10 (0xA in Hexadecimal).  The possible values range from 0 to 4,294,967,295!  In reality though, you would not want to set the value this high.  When the number of recorded errors reaches the value of this entry, Dr. Watson will continue to add errors to the log file and the dump - but will not add errors to its own log viewer or the Application Event log until it is reset using the "Clear" button or the value is increased.

The "Dump Symbol Table" dumps the symbol table for each module.  Selecting this option can cause log files to become very large!  The "Dump all Thread Contexts" specifies whether Dr. Watson will log a state dump for each thread in the program that failed or only the faulting thread.  The other options are self-explanatory.  Each of the parameters  in this dialog are stored in the HKEY_LOCAL_MACHINE\Software\Microsoft\DrWatson key.  The Log File and Dump File path are not present by default - if you change the location of these files, you will see the Registry values for these options.

Full article

Additional Resources:

Microsoft, Windows, Windows Vista, Windows Server 2008, debugging, Application Crash Dump, Troubleshooting, Knowledgebase