Where does Windows 8 store user-mode crash minidumps?

Where does Windows 8 store minidumps from user-mode crashes?

Windows Vista and Windows 7 is documented to (by default) store a crash dump in:

%LOCALAPPDATA%\CrashDumps

A fact supported by observational evidence:

enter image description here

But, when an application crashes on Windows 8:

enter image description here

There are no crash dumps in %LOCALAPPDATA%\CrashDumps; there isn't even a CrashDumps folder:

enter image description here

Which leads to the question:

Where does Windows 8 store minidumps from user-mode crashes?

Note: You can ignore everything after the first line; it's just wasted filler.

enter image description here

Ian Boyd

Posted 2013-02-16T21:12:06.270

Reputation: 18 244

i did a dir *.dmp /s, dir *.mdmp /s from the Windows folder, and the root of my user profile folder. – Ian Boyd – 2013-02-16T22:03:55.640

Have made sure you don't have application specific crash dumps turned on? I had no problem finding them on my system. Of course I also verified the feature was turned on my system. – Ramhound – 2013-02-16T22:39:11.603

Where did you find them on your system? (i've checked two locations) What which settings for WER crash dumps do you have turned on? (i've checked 3 settings) – Ian Boyd – 2013-02-17T02:35:46.210

Have you checked the event log? Usually you'll find the path to the dumps there. IIRC Windows packs them up (.dmp + .xml) in a ZIP file, so it could be named differently, too. Try Win+R and then eventvwr and ENTER to check the event log. – 0xC0000022L – 2013-02-17T02:42:24.780

@0xC0000022L The event viewer shows events from Windows Error Reporting show, "Attached Files: ..., ..., C:\Users\ian\AppData\Local\Temp\WERD655.tmp.mdmp", which, unfortunately, is not there. – Ian Boyd – 2013-02-17T03:05:43.757

1@IanBoyd: depends on the system settings and I'm not too familiar with W8, yet. I suggest you try to find that file next time while the WER dialog is still open. – 0xC0000022L – 2013-02-17T16:46:27.307

@ERROR_ACCESS_DENIED Even with Process Monitor running, looking for any Path containing dmp, and all file activity from dwwin.exe, i see no dump files being created. – Ian Boyd – 2013-02-17T18:49:10.383

@IanBoyd - As I said they were in application specific locations. – Ramhound – 2013-02-19T12:02:33.513

@IanBoyd - The MSDN article you link to says "This feature is not enabled by default." You do have to create the LocalDumps key. Having that and the DumpFolder REG_EXPAND_SZ makes things work on this Windows 8 machine. – jla – 2014-03-21T19:58:43.107

Answers

I observed the following with Windows 8.1 Professional:

Windows Error Reporting writes to: %ProgramData%\Microsoft\Windows\WER\

However, per default, it no longer permanently stores the dumps on the local computer. You need to explicitly enable the storing of the dumps.

Use the Group Policy Editor (gpedit.msc): Computer Configuration -> Administrative Templates -> Windows Components -> Windows Error Reporting -> Advanced Error Reporting Settings

Enable the policy Configure Report Archive:
- Archive behaviour = Store all
- Max number = 100
You may also want to enable the policy Do not throttle additional data to send and store dumps for consecutive crashes with similar signature.

The dumps are inside the file Report.cab of the crash specific subfolder.

paulgutten

Posted 2013-02-16T21:12:06.270

Reputation: 334

It seems to be very simple:

On my Windows 8.1 machine there was no %LOCALAPPDATA%\CrashDumps and no dumps were generated. I created the following value in the Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
DumpFolder=REG_EXPAND_SZ:"C:\Dumps"

(the above syntax is not quite for .reg files, but it must be clear what it is)

and next time I had a crash of my program, the dump was generated in C:\Dumps.

I hope this helps.

Sergei

Posted 2013-02-16T21:12:06.270

Reputation: 41

You can search for .dmp files on your computer. But if you don't find any, then keep on reading.

For Store applications, Windows 8 seems to collect the application crash-dumps on the Microsoft servers, where their life-time is quite unknown (my suspicion : 30 days and I picked this number up from here).

For details, see the article Improving apps with Quality reports.

In a nutshell: You access the Quality reports through your app's "app summary page". This page supplies a Download link for a .cab file containing the process dump (!).

I don't have Windows 8, and my above answer seems like pure craziness on Microsoft's part, but this unbelievable fact is what I read into the documentation. I just hope that I am wrong.

harrymc

Posted 2013-02-16T21:12:06.270

Reputation: 306 093

This is a big security breach for apps that handle sensitive information, like passwords and private keys. There is absolutely no reason to ship dumps with the sensitive information to companies like Microsoft. The sensitive information should never leave the security boundary, like the app or the local machine. Law enforcement and criminals thank Microsoft for making it easy to collect the secret information. – jww – 2019-03-15T06:05:22.470

Unfortunately Microsoft won't let me have my WinQual reports! – Ian Boyd – 2013-02-22T21:59:05.540

The situation is even more Kafkaien than I could imagine. Is going back to Windows 7 an option? Otherwise, you have no choice but to either buy a Verisign license or give up on application crash-dumps. – harrymc – 2013-02-24T19:04:35.613

You can override the location where the files are stored. run regedit.exe and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps, create a REG_EXPAND_SZ with the name of the folder you like to use (like C:\dumps).

magicandre1981

Posted 2013-02-16T21:12:06.270

Reputation: 86 560

This is not necessary, since DumpFolder has the default value of %LOCALAPPDATA%\CrashDumps. But evidently this has no effect for the poster on Windows 8. – harrymc – 2013-02-24T10:12:18.007

from my experience overriding the folder makes sure that dumps are written, which is not the case for the default setting. – magicandre1981 – 2013-02-24T16:40:58.433

Everything is possible with Windows 8... Hopefully, the poster might be able to give here some feedback. – harrymc – 2013-02-24T16:53:28.040

@harrymc The registry key exists; the screenshot in the original question shows the of mini dumps. – Ian Boyd – 2013-02-24T20:37:55.220

@IanBoyd: The registry key doesn't need to exist for dumps to happen on Windows 7, because there it has a default value. This answer says to create and set it to another folder than %LOCALAPPDATA%\CrashDumps and see if that changes anything. I personally don't believe in it, but trying can't hurt. – harrymc – 2013-02-24T21:21:43.430

@harrymc No, what i was saying is that i had already created the registry key. It did not effect any change, and did not affect the behaviour. Updated question with screenshot of regedit showing key – Ian Boyd – 2013-02-25T01:09:06.387

1again, change the value to something like C:\dumps. This works for me since the feature was added in Vista Sp1. – magicandre1981 – 2013-02-25T05:55:58.723

... and ensure that C:\dumps does exist. Create it if necessary. – harrymc – 2013-02-25T09:34:52.320

for me, the WER service always creates the folder. – magicandre1981 – 2013-02-25T19:20:28.367