Extract context record from WER dumps

Question

Extract context record from WER dumps

goldshtn opened this issue 8 years ago · 2 comments

Dumps generated by Windows Error Reporting have the original context record and exception record obscured by the WER infrastructure. Here's an example call stack from a WER dump:

0:008> kc
 # 
00 ntdll!NtWaitForMultipleObjects
01 KERNELBASE!WaitForMultipleObjectsEx
02 KERNELBASE!WaitForMultipleObjects
03 kernel32!WerpReportFaultInternal
04 kernel32!WerpReportFault
05 kernel32!BasepReportFault
06 KERNELBASE!UnhandledExceptionFilter
07 ntdll!__RtlUserThreadStart
08 ntdll!_RtlUserThreadStart

To extract the original context, WinDbg provides the .ecxr command. We should be able to do something similar.

Answer 1 · 2016-08-15T19:04:34.000Z

And here's how to do it: IDebugAdvanced2::Request has a set of commands for getting the faulting thread, the exception record, and the context record.

Answer 2 · 2016-09-25T14:02:01.000Z

Done in #58 as part of the report command; the GetLastEventInformation() method now returns data based on the WER context.