Windows Error Reporting (WER) (codenamed Watson) is a crash reporting technology introduced by

Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...

with

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...

What are WER Services?
/ref> and included in later Windows versions and

Windows Mobile Windows Mobile is a discontinued family of mobile operating systems developed by Microsoft for smartphones and personal digital assistants. Its origin dated back to Windows CE in 1996, though Windows Mobile itself first appeared in 2000 as Pock ...

5.0 and 6.0. Not to be confused with the

Dr. Watson John H. Watson, known as Dr. Watson, is a fictional character in the Sherlock Holmes stories by Sir Arthur Conan Doyle. Along with Sherlock Holmes, Dr. Watson first appeared in the novel ''A Study in Scarlet'' (1887). The last work by Doyle f ...

debugging tool which left the memory dump on the user's local machine, Windows Error Reporting collects and offers to send post-error

debug In computer programming and software development, debugging is the process of finding and resolving ''bugs'' (defects or problems that prevent correct operation) within computer programs, software, or systems. Debugging tactics can involve int ...

information (a

memory dump In computing, a core dump, memory dump, crash dump, storage dump, system dump, or ABEND dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminat ...

) using the Internet to

when an application crashes or stops responding on a user's desktop. No data is sent without the user's consent. When a crash dump (or other error signature information) reaches the Microsoft server, it is analyzed, and information about a solution is sent back to the user if available. Solutions are served using Windows Error Reporting Responses. Windows Error Reporting runs as a

Windows service In Windows NT operating systems, a Windows service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager ...

. Kinshuman is the original architect of WER. WER was also included in the ACM hall of fame for its impact on the computing industry.

History

Windows XP

first introduced Windows Error Reporting with

Windows Vista

Windows Error Reporting was improved significantly in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

, when public

API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...

s were introduced for reporting failures other than application crashes and hangs. Using the new APIs, as documented on MSDN, developers can create custom reports and customize the reporting user interface. Windows Error Reporting was also revamped with a focus on reliability and user experience. For example, WER can now report errors even from processes in bad states such as

stack Stack may refer to: Places * Stack Island, an island game reserve in Bass Strait, south-eastern Australia, in Tasmania’s Hunter Island Group * Blue Stack Mountains, in Co. Donegal, Ireland People * Stack (surname) (including a list of people ...

exhaustions, PEB/TEB corruptions, and

heap corruption Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed as violation of m ...

s, conditions which in releases prior to Windows Vista would have resulted in silent program termination with no error report. A new Control Panel applet, "Problem Reports and Solutions" was also introduced, keeping a record of system and application errors and issues, as well as presenting probable solutions to problems.

Windows 7

The Problem Reports and Solutions Control Panel applet was replaced by the Maintenance section of the

Windows Action Center Action Center is a notification center included with Windows Phone 8.1, Windows 10 and Windows 10 Mobile. It was first introduced with Windows Phone 8.1 in July 2014, and was introduced to the desktop with the launch of Windows 10 on July 29, 2015 ...

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearl ...

and Server 2008 R2. A new app, Problem Steps Recorder (PSR.exe), is available on all builds of Windows 7 and enables the collection of the actions performed by a user while encountering a crash so that testers and developers can reproduce the situation for analysis and debugging.

System design

WER is a

distributed system A distributed system is a system whose components are located on different networked computers, which communicate and coordinate their actions by passing messages to one another from any system. Distributed computing is a field of computer sci ...

. Client-side software detects an error condition, generates an error report, labels the bucket, and reports the error to the WER service. The WER service records the error occurrence and then, depending on information known about the particular error, might request additional data from the client, or direct the client to a solution. Programmers access the WER service to retrieve data for specific error reports and for statistics-based debugging. Errors collected by WER clients are sent to the WER service. The WER service employs approximately 60 servers connected to a 65TB storage area network that stores the error report database and a 120TB storage area network that stores up to 6 months of raw CAB files. The service is provisioned to receive and process well over 100 million error reports per day, which is sufficient to survive correlated global events such as

Internet worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

s. It can also provide the service where it considered the object by the directory server. Information is also stored to collect and associated with the object and resource. Sometimes the directory service the user do not have to remember the physical address of a network resources by providing name and locate the resources.

Buckets

In the Microsoft Windows Error Reporting (WER) system, crash reports are organized according to "buckets". Buckets classify issues by: * Application Name, * Application Version, * Application Build Date, * Module Name, * Module Version, * Module Build Date, * OS Exception Code/System Error Code, * and Module Code Offset. Ideally, each bucket contains crash reports that are caused by one and only one root cause. However, there are instances where this ideal one-to-one mapping is not the case. First, the heuristics that group failures can result in a single failure's being attributed to multiple buckets; for instance, each time an application with a failure is recompiled, the application will have a new Module Build Date, and resulting failures will then map to multiple buckets. Second, because only certain information about the failure state is factored into the bucketing algorithm, multiple distinct bugs can be mapped to a single bucket; for instance, if an application calls a single function like strlen with strings corrupted in different ways by different underlying code defects, the failures could map to the same bucket because they appear to be crashes in the same function from the same application, etc. This occurs because the bucket is generated on the Windows OS client without performing any symbol analysis on the memory dump: The module that is picked by the Windows Error Reporting client is the module at the top of the stack. Investigations of many reports result in a faulting module that is different from the original bucket determination.

Third-party software

Software & hardware manufacturers may access their error reports using Microsoft's

Windows Dev Center Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for s ...

Hardware and Desktop Dashboard (formerly

Winqual Windows Quality Online Services (Winqual) was a Microsoft web service providing a developer dashboard to certification for the Microsoft Windows logo programs and access to the Windows Error Reporting (WER) data. In preparation for Windows 8 the ...

) program. In order to ensure that error reporting data only goes to the engineers responsible for the product, Microsoft requires that interested vendors obtain a

VeriSign Verisign Inc. is an American company based in Reston, Virginia, United States that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the , , and gene ...

Class 3 Digital ID or

DigiCert DigiCert, Inc. is an American digital security company headquartered in Lehi, Utah, with offices in Australia, Ireland, Japan, India, France, South Africa, Switzerland and United Kingdom. As a certificate authority (CA) and trusted third party, Di ...

certificate. Digital certificates provided by cheaper providers (such as

Thawte Thawte Consulting (pronounced "thought") is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collective ...

, Comodo,

GlobalSign GlobalSign was one of the first Certificate Authorities (CAs) to be WebTrust audited. It is a provider of identity and security solutions for the Internet of Things (IoT). As of January 2015, Globalsign was the 4th largest certificate authority in ...

GeoTrust GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business (including GeoTrust) in August 2017 to private equity and growth capital firm Thoma Bravo L ...

Cybertrust CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm ...

Entrust Entrust Corp., formerly Entrust Datacard, provides software and hardware used to issue financial cards, e-passport production, user authentication for those looking to access secure networks or conduct financial transactions, trust certificat ...

GoDaddy GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. , GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The ...

, QuoVadis,

Trustwave Trustwave Holdings is an American standalone business unit cybersecurity independent subsidiary and brand of multinational telecommunications company Singtel Group Enterprise. It focuses on providing managed detection and response (MDR), managed ...

, SecureTrust,

Wells Fargo Wells Fargo & Company is an American multinational financial services company with corporate headquarters in San Francisco, California; operational headquarters in Manhattan; and managerial offices throughout the United States and inter ...

) are not accepted. Software and hardware manufacturers can also close the loop with their customers by linking error signatures to Windows Error Reporting Responses. This allows distributing solutions as well as collecting extra information from customers (such as reproducing the steps they took before the

crash Crash or CRASH may refer to: Common meanings * Collision, an impact between two or more objects * Crash (computing), a condition where a program ceases to respond * Cardiac arrest, a medical condition in which the heart stops beating * Couch s ...

) and providing them with support links.

Impact on future software

Microsoft has reported that data collected from Windows Error Reporting has made a huge difference in the way software is developed internally. For instance, in 2002,

Steve Ballmer Steven Anthony Ballmer (; March 24, 1956) is an American business magnate and investor who served as the chief executive officer of Microsoft from 2000 to 2014. He is the current owner of the Los Angeles Clippers of the National Basketball Assoc ...

noted that error reports enabled the Windows team to fix 29% of all Windows XP errors with Windows XP SP1. Over half of all

Microsoft Office Microsoft Office, or simply Office, is the former name of a family of client software, server software, and services developed by Microsoft. It was first announced by Bill Gates on August 1, 1988, at COMDEX in Las Vegas. Initially a ma ...

XP errors were fixed with Office XP SP2. Success is based in part on the

80/20 rule The Pareto principle states that for many outcomes, roughly 80% of consequences come from 20% of causes (the "vital few"). Other names for this principle are the 80/20 rule, the law of the vital few, or the principle of factor sparsity. Manage ...

. Error reporting data reveals that there is a small set of bugs that is responsible for the vast majority of the problems users see. Fixing 20% of code defects can eliminate 80% or more of the problems users encounter. An article in the

New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...

confirmed that error reporting data had been instrumental in fixing problems seen in the beta releases of Windows Vista and

Microsoft Office 2007 Microsoft Office 2007 (codenamed Office 12) is an office suite for Windows, developed and published by Microsoft. It was officially revealed on March 9, 2006 and was the 12th version of Microsoft Office. It was released to manufacturing on Nove ...

Privacy concerns and use by the NSA

Although Microsoft has made privacy assurances, they acknowledge that

personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...

could be contained in the memory and application data compiled in the 100-200 KB "minidumps" that Windows Error Reporting compiles and sends back to Microsoft. They insist that in case personal data is sent to Microsoft, it won't be used to identify users, according to Microsoft's

privacy policy A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...

. But in reporting issues to Microsoft, users need to trust Microsoft's partners as well. About 450 partners have been granted access to the error reporting database to see records related to their

device driver In computing, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and o ...

s and apps. Older versions of WER send data without encryption; only WER from

Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 1, 2012; it was subsequently made available for download via MSDN and TechNet on August 15, 2012, and later to ...

uses TLS encryption. In March 2014, Microsoft released an update (KB2929733) for Windows Vista, 7 and Server 2008 that encrypts the first stage of WER. In December 2013, an independent lab found that WER automatically sends information to Microsoft when a new USB device is plugged to the PC. According to '' Der Spiegel'', the Microsoft crash reporter has been exploited by NSA's

TAO ''Tao'' or ''Dao'' is the natural order of the universe, whose character one's intuition must discern to realize the potential for individual wisdom, as conceived in the context of East Asian philosophy, East Asian religions, or any other phil ...

unit to hack into the computers of Mexico's Secretariat of Public Security. According to the same source, Microsoft crash reports are automatically harvested in NSA's

XKeyscore XKeyscore (XKEYSCORE or XKS) is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data, which it collects in real time. The NSA has shared XKeyscore with other intelligen ...

database, in order to facilitate such operations.Inside TAO: Documents Reveal Top NSA Hacking Unit
/ref>

References

{{Windows Components Windows components Windows services Software anomalies