Windows Error Reporting

Windows Error Reporting (WerFault) is the system mechanism that captures application crashes and hangs across the operating system. What most users see as an annoying "program stopped working" dialog is, for investigators, a forensic goldmine. WER records the exact process that crashed, what modules were loaded and precisely when the failure occurred, creating a persistent record even for processes that were designed to erase themselves.

Imagine a factory where every time a machine breaks down, an automatic robot walks over, takes a photograph of the broken machine, writes down the time it broke and files a report into a cabinet. Windows Error Reporting is that robot. Every time a program crashes on your computer, Windows automatically writes down the program's name, what it was doing and when it died. Malware often crashes, and this cabinet has the evidence.

General

WER is managed by the WerSvc service and the WerFault.exe process. When an application crashes, the kernel notifies WER which then generates a crash report. These reports are stored in two primary locations: a per-user folder at %LOCALAPPDATA%\Microsoft\Windows\WER\ and a system-wide location at %ProgramData%\Microsoft\Windows\WER\. Reports are organized into two subdirectories — ReportArchive for submitted reports and ReportQueue for pending submissions. Each report folder contains Appcompat.txt, Report.wer and optionally a minidump (.mdmp) file that captures the full memory state of the crashed process at the moment of failure.

Traces

WER report files and their folder structure expose important execution metadata:

Process Name: The exact name of the executable that crashed.
Full Application Path: The directory location from which the crashed binary was executed.
Crash Timestamp: The UTC time of the process failure.
Exception Code: The specific Windows exception type that caused the crash, such as Access Violation (0xC0000005).
Minidump File: A partial memory snapshot of the process state at crash time, which can contain strings, credentials and decoded payloads.
and more.

Forensic Value

We analyze WER artifacts to uncover failed exploitation attempts and hidden execution:

Detecting Failed Malware: Identifying crashes from malicious tools that ran briefly then terminated abnormally. Pivot to the Execution overview to see if any secondary artifacts were triggered.
Exploitation Artifacts: Finding crash reports from system processes like lsass.exe that indicate a failed credential dumping attempt.
Minidump Analysis: Extracting strings, decoded shellcode or in-memory credentials from crash dump files left in the WER queue.
Proving Unknown Execution: Corroborating execution timelines when Prefetch or Event Logs are cleared but WER reports remain.

For more Info check out these Articles: Execution