question

abiang avatar image
0 Votes"
abiang asked XingHuang-MSFT commented

Windows Error Reporting is disabled but WerSvc is still running?

I need WER disabled in some servers. To achieve this, according to the documentation I ran the Disable-WindowsErrorReporting cmdlet, which upon returning True confirmed that the operation had been successful.
After that, running the Get-WindowsErrorReporting cmdlet showed that it was in the "Disabled" state.
Going to the registry editor and checking "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting" showed that the "Disabled" value was indeed set to 1.
91683-image.png

But when checking under services.msc, the "Windows Error Reporting Service (WerSvc) was showing as still running and with the Automatic startup value.
I restarted the server and the service was still running.
My question is: does disabling WER still leave the WerSvc running? Why would that be? Does the service remain active but stops reporting?
How can I validate quickly that WER is indeed disabled (tried hanging the Sysinternal's NotMyFault.exe app but I did not get WER's dialog box with it either Enabled or Disabled)



windows-server
image.png (43.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XingHuang-MSFT avatar image
0 Votes"
XingHuang-MSFT answered

Hi,

Could you please share your screenshot of the “Disable value” showed in the registry. After I tried, I find that there may be something wrong with your system files. You can try SFC or DISM command in the command prompt to restore the files. You can use clean boot to exclude the influence of non-Microsoft software. You can try whether you can stop the service manually in the services.

Best regards,
Ansley


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

abiang avatar image
0 Votes"
abiang answered

Please refrain from suggesting solutions not related to the problem. Nothing indicates a problem with system files (specially since it is a VM with a fresh windows install only to test this). Requesting a screenshot of a condition clearly explained in text would do little to enrich the case information. And I also fail to see how trying to stop the service manually would validate my question: does disabling WER still leave the WerSvc running? Why would that be? Does the service remain active but stops reporting?

This kind of generic "Run SFC/DISM" on every question in existence does little but diminish the overall quality of the forums.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XingHuang-MSFT avatar image
0 Votes"
XingHuang-MSFT answered

Hi,
I'm sorry to trouble you because I didn't explain it clearly. In the picture you showed, we find that the command: disable-errorreporting didn’t work in your PowerShell. Because when you used this command, your PowerShell returned false. That means you didn’t disable the Windows Error Reporting successfully. So the Windows Error Reporting still shows as running. You can try to disable the Windows Error Reporting manually according to this picture to see if it works.

92765-picture.png



Looking forward to your reply.

Best regards,
Ansley


picture.png (87.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

abiang avatar image
0 Votes"
abiang answered XingHuang-MSFT commented

@XingHuang-MSFT Please, take another look at the screenshot and then read the text: "I ran the Disable-WindowsErrorReporting cmdlet, which upon returning True confirmed that the operation had been successful." Then, in the screenshot, it can be seen how the Get-WindowsErrorReporting cmdlet is returning "Disabled" and, accordingly, the Disable-WindowsErrorReporting returns "False", that not only happens when it fails, but also when its already deactivated, as stated in the cmdlet's documentation: "The Disable-WindowsErrorReporting cmdlet returns $True if it is successful. Otherwise, it returns $False."

So the cmdlet is working as expected, and is, as stated, disabling WER via the registry and not failing. But still the WerSvc shows as started. I need to validate if they are two components that are interdependent and WER is effectively not working even if WerSvc is running. Also, manually deactivating it won't help because this is a proof of concept to orchestrate automation of this action in a pool of a great number of servers. Is there any documentation about WER components? Any place where I can contact a Subject Matter Expert regarding WindowsErrorReporting service?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply. I'm sorry that I didn't have a better understanding of your question. Based on what you described later, I think you might need to use Process Monitor to catch the process of the WER service to see if the written file is blocked. Please understand due to security policy and from our professional level, we could not provide log analysis. In addition, if this problem is more urgent for you, I still recommend that you open a case to Microsoft for further professional help. https://support.microsoft.com/en-us/help/4341255/support-for-busines.support-for-busines


0 Votes 0 ·