Getting Started with Windows App Crash Dump Collection: WER, ProcDump, and WinDbg
The short answer
The easiest way to think about crash dump collection is to layer it in this order:
- Start with WER LocalDumps configured per app (no extra tooling required)
- Add ProcDump when you need more (low-repro field investigations, hangs, first chance exceptions)
- Reach for MiniDumpWriteDump only when you want full control of your own collection
| Environment | Recommended starting point |
|---|---|
| Dev / staging machines | WER LocalDumps with DumpType=2 (full dump) |
| Customer / field machines | DumpType=1 or 2 depending on disk and confidentiality constraints |
| Long-running services or hang investigations | WER plus ProcDump with -h or -e 1 |
| Custom UI or attached logs needed | MiniDumpWriteDump from inside the app |
What a crash dump tells you
- The exception code that brought the process down
- Which thread crashed
- The call stack at the moment of failure
- The modules that were loaded
- Heap state and the contents of objects (when included)
Do not try to solve everything from a dump alone. Combine it with logs and heartbeats.
Overview of collection methods
| Method | Best fit | Strengths | Things to watch |
|---|---|---|---|
| WER LocalDumps | A baseline crash collector you leave running | Built into Windows, configurable per app | Aimed at crashes; weak for hangs |
| ProcDump | Low-repro investigations, hangs, first chance | Many trigger options, easy to drop on a field machine | External tool to manage |
| Task Manager | Grabbing the current state by hand | GUI, immediate | Not automated |
| MiniDumpWriteDump | Your own diagnostic feature | Easy to bundle attached logs and custom metadata | Implementation bugs are easy to introduce |
Configuring WER LocalDumps
Registry settings
The per-app subkey is the easiest to manage.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApp.exe
| Value | Meaning | Recommendation |
|---|---|---|
| DumpFolder | Where dumps are written | Use a dedicated folder |
| DumpCount | How many to retain | 5 to 10 |
| DumpType | 0 = custom, 1 = mini, 2 = full | Start with 2; drop to 1 if disk is tight |
Example configuration
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApp.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApp.exe" /v DumpFolder /t REG_EXPAND_SZ /d "C:\CrashDumps\MyApp" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApp.exe" /v DumpCount /t REG_DWORD /d 10 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\MyApp.exe" /v DumpType /t REG_DWORD /d 2 /f
What to verify
.dmpfiles actually appear in the expected folder- The size matches what your operations can carry
- WinDbg can open them
- The Application log in Event Viewer shows the crash
Using ProcDump
Common options
| Option | Meaning |
|---|---|
| -ma | Full dump |
| -mp | MiniPlus dump |
| -e | Dump on unhandled exception |
| -e 1 | Dump on first chance exceptions too |
| -h | Dump on hang |
| -w | Wait for the target process to start |
| -x | Launch the target and monitor it |
| -n | Maximum number of dumps |
| -accepteula | Accept the EULA automatically |
Typical command lines
# Full dump on unhandled exception for a process that is already running
procdump -accepteula -ma -e 1234 C:\CrashDumps\MyApp
# Wait for the next launch and monitor it
procdump -accepteula -ma -e -w MyApp.exe C:\CrashDumps\MyApp
# Capture first chance exceptions as well
procdump -accepteula -ma -n 3 -e 1 MyApp.exe C:\CrashDumps\MyApp
# Capture a hang
procdump -accepteula -h MyApp.exe C:\CrashDumps\MyApp
Mini dump vs full dump
| Type | Best fit | Pros | Cons |
|---|---|---|---|
| Mini dump | Broad rollout, easy to share | Small, easy to transfer | Limited state recovery |
| Full dump | Investigation focus, native boundaries or heap suspect | Lots of information | Large size, risk of confidential data |
| MiniPlus / Custom | Mini is not enough but full is too heavy | Strikes a balance | Needs tuning know-how |
Rule of thumb: full dumps on dev and staging, mini or full on customer machines depending on operational constraints.
Analyzing the dump
Install WinDbg
winget install Microsoft.WinDbg
Open the dump
windbg -z C:\CrashDumps\MyApp\MyApp_YYMMDD_HHMMSS.dmp
Set up symbols
.symfix C:\Symbols\Microsoft
.sympath+ C:\Symbols\MyApp
.reload
Run the automatic analyzer
!analyze -v
From there, look at the exception code, the faulting module, whether your own code shows up on the stack, and whether any thread other than the faulting one is stuck on a suspicious wait.
Decisions to make up front
- How you keep PDBs and binaries: archive the exact build of the EXE/DLL you shipped together with its matching PDB. Without those, dumps cannot be read.
- Output location and retention: do not write to the system drive root. Use a dedicated folder and cap the count.
- Who is allowed to look: full dumps may contain confidential data (connection strings, tokens, customer data).
Common pitfalls
- Dumps captured but no PDB on hand. Plan PDB archival alongside the collection setup.
DumpFolderACLs not checked. Confirm the process can actually write there before you wait for a crash.- Full dumps written to the production system drive forever. A classic disk-space incident.
- Trying to catch hangs with WER alone. Hangs and first chance exceptions are ProcDump territory.
- Leaving
-e 1on permanently and getting buried in exceptions. Cap the count or run it for a short window.
Wrap-up
Crash dumps are a strong observation point for low-repro failures. The order to reach for them is WER, then ProcDump, then MiniDumpWriteDump. Archiving PDBs is just as important as the dumps themselves.
References
- Microsoft Learn: Collecting User-Mode Dumps - Win32 apps
- Microsoft Learn: ProcDump v11.1 - Sysinternals
- Microsoft Learn: MiniDumpWriteDump function (minidumpapiset.h) - Win32
- Microsoft Learn: User-mode dump files - Windows drivers
- Microsoft Learn: Analyzing a User-Mode Dump File - Windows drivers
- Microsoft Learn: Install Windows Debugger - Windows drivers
- Microsoft Learn: Symbol path for Windows debuggers - Windows drivers
- Microsoft Learn: !analyze (WinDbg) - Windows drivers
- Microsoft Learn: Troubleshoot processes by using Task Manager - Windows Server
- Microsoft Learn: Enabling Postmortem Debugging - Windows drivers
Related Articles
Recent articles sharing the same tags. Deepen your understanding with closely related topics.
How to Reliably Capture Logs When a Windows App Crashes from a Programming Bug - Designs That Don't Bet on In-Process Logging, Plus Best Practices for WER, Final Markers, and Watchdogs
How to keep evidence when a Windows app crashes from an unexpected exception: how routine logs, a final crash marker, WER LocalDumps, and...
Pitfalls in COM, OCX, and ActiveX Development - Visual Studio Bitness, Registration, and Admin-Rights Traps
The traps that bite COM, OCX, and ActiveX work in practice: 32-bit/64-bit mismatches, regsvr32 vs Regasm, HKCU vs HKLM scope, and admin-r...
Where to `catch`, log, and handle exceptions — sorting out call-hierarchy boundaries and responsibilities for real-world code
A practical breakdown of where in the call hierarchy you should catch exceptions, where the primary log belongs, and where to decide betw...
What ClickOnce Actually Is: How It Works, How Updates Flow, and Where It Fits in Practice
A practical look at ClickOnce — how the manifests, auto-updates, per-version cache, and signing fit together, why it shines for internal ...
How to Use Windows Sandbox to Speed Up Windows App Validation - Admin Rights, Clean Environments, and Reproducing Missing-Permission or Low-Resource Cases
A practical guide to validating Windows apps with Windows Sandbox. Covers first-install checks in a clean environment, isolating admin-ri...
Related Topics
These topic pages place the article in a broader service and decision context.
Windows Technical Topics
Topic hub for KomuraSoft LLC's Windows development, investigation, and legacy-asset articles.
Bug Investigation & Long-Run Failures
Topic page for intermittent failures, communication diagnosis, long-run crashes, and failure-path test foundations.
Where This Topic Connects
This article connects naturally to the following service pages.
Windows App Development
We support Windows desktop applications that involve resident processing, device integration, operational logging, and maintainable structure.
Bug Investigation & Root Cause Analysis
We investigate difficult production issues such as intermittent failures, long-run crashes, leaks, and communication stoppages.