Note: This blogpost is also posted on the PepperCrew website.
When you’re a system administrator you’re likely to encounter a few application crashes during your career. In order to troubleshoot these crashes Windows Error Reporting (WER) comes in handy. It can be configured so that full user-mode dumps are collected and stored locally after a user-mode application crashes. You can than send the dumps to the software supplier or analyse it yourself using your tool of choise.
The configuration is done by setting a few registry keys (for more info: link). Because it’s a hassle to set these keys manually I’ve created PowerShell functions to configure user-mode dumps on either your local machine or a remote machine. It uses remote registry for this so it works even if PowerShell remoting is disabled in your environment.
These are the functions with some examples on how to use them:
Enables User-Mode (Application Crash) dumps using Windows Error Reporting on a local or remote computer. Requires to be run under an account with admin rights on the computer.
PS\> Enable-WERUserModeDumps -ComputerName PC001,PC002 -Process iexplore.exe -DumpFolder D:\Dumps -DumpType FullDump
Enables User-Mode dumps on PC001 and PC002 using default values: 10 full dump maximum in folder ‘D:\Dumps’ for application Internet Explorer (iexplorer.exe)
Disables User-Mode (Application Crash) dumps on a local or remote computer. Requires to be run under an account with admin rights on the computer.
PS\> Disable-WERUserModeDumps -ComputerName PC001,PC002
Disables User-Mode dumps on PC001 and PC002.
PS\> Get-ADComputer -Filter "Name -like 'PCTEST*'" | Select * | Enable-WERUserModeDumps
Retreives all computers with a name that starts with PCTEST from AD and enables User-Mode dumps on them (The command is first piped to the Select command because of issues with AD object types in the pipeline).
You can find the functions here.
Hope it helps!