Shlomi Boutnaru, Ph.D. – The Windows Process Journey — “WerFault.exe” (Windows Error Reporting)
“WerFault.exe” is a PE binary located at “%windir%system32WerFault..exe”. On 64-bit systems there is also a 32-bit version of the binary located at “%windir%SysWOW64WerFault.exe”. This binary is one of the components of the “Windows Error Reporting” feature of the operating system which interacts with the “Windows Error Reporting Service” (WerSvc).
Moreover, “WerFault.exe” is created when a process crashes. The goal of the binary is to collect data, exception info, and even memory dumps. Later “WerFault.exe” is used for uploading the data to Microsoft’s cloud. In case there is no Internet connection, “WerFault.exe” saves the reports locally which can be later uploaded by “wermgr.exe”.
Thus, in case of an unhandled exception, a signal (WNFWERSERVICE_START) is sent to ensure the “Windows Error Reporting Service” (WerSvc) is started. Afterwards, the crashed process talks with “WerSvc” using ALPC which leads to the creation of “WerFault.exe” as a sub-process of the crashed process (with the same level of user-permissions and not with the token of local system as “WerSvc”). The reports created by “WerFault.exe” are saved at “C:ProgramDataMicrosoftWindowsWERReportQueue” and moved to “C:ProgramDataMicrosoftWindowsWERReportArchive” in case the report was not uploaded due to network problems/issues.
See you in my next writeup 😉 You can follow me on Twitter — @boutnaru. Also, you can read my other writeups on Medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.
