WER 如何收集和分类错误报告How WER collects and classifies error reports

Microsoft Windows 错误报告 (WER) 服务可以捕获内核模式(操作系统)和用户模式(应用程序)崩溃信息,其中包括有关驱动程序和应用程序以及关于在崩溃时运行的模块(控件和插件)的信息。The Microsoft Windows Error Reporting (WER) service captures both kernel-mode (operating system) and user-mode (application) crashes, including information on drivers and applications, as well as about the modules (controls and plug-ins) running at the time of the crash.

Windows 错误报告 (WER):分类Windows Error Reporting (WER): Classifications

最终用户选择通过 Internet 将错误报告发送给 Microsoft 时,WER 服务将收集关于崩溃的技术信息。When an end user chooses to send an error report to Microsoft over the Internet, the WER service collects technical information about the crash. 此数据仅用于质量控制,不会用来跟踪各个用户或安装以用营销目的。This data is used for quality control purposes only and is not used for tracking individual users or installations for any marketing purpose. 如果可帮助最终用户解决问题的信息可用,Windows 将向用户显示一条包含该信息链接的消息。If information is available that will help the end user solve the problem, Windows displays a message to the user with a link to that information.

WER 可将相同问题的错误报告分类到一个存储段中。WER classifies error reports for the same problem into one bucket. 客户发送错误报告时,WER 将决定此问题的存储段是否已存在。When a customer sends an error report, WER determines if a bucket for that problem already exists. 若存在,则将报告添加到现有的存储段中。If it does, then the report is added to the existing bucket. 若不存在,将新建存储段。If not, then a new bucket is created.

收集的数据类型和用于定义存储段的架构对于用户模式崩溃和内核模式崩溃是不同的。The types of data collected and the schemas for defining a bucket are different for user-mode crashes and for kernel-mode crashes.

对内核模式崩溃进行分类Classifying kernel-mode crashes

内核模式崩溃首先按停止代码进行分组,然后再按其他参数(取决于单个停止代码)进行分组。Kernel-mode crashes are first grouped by stop codes and then by additional parameters, depending on the individual stop code. 存储段名称基于错误和设备的类型。The bucket name is based on the type of error and the device. 例如:For example:

存储段名称Bucket name 错误Error

OLD_IMAGE_SAMPLE.SYS_DEV_3577OLD_IMAGE_SAMPLE.SYS_DEV_3577

崩溃是由设备 ID 3577 上的旧版本 sample.sys 导致的。Crash caused by an old version of sample.sys on device ID 3577

0x44_BUGCHECKING_DRIVER_ SAMPLE0x44_BUGCHECKING_DRIVER_ SAMPLE

驱动程序 sample.sys 可能导致了 Bugcheck 0x44Driver sample.sys may have caused Bugcheck 0x44

POOL_CORRUPTION_ SAMPLEPOOL_CORRUPTION_ SAMPLE

驱动程序 sample.sys 可能导致了池损坏Driver sample.sys may have caused pool corruption

0xBE_sample!bar+1a0xBE_sample!bar+1a

驱动程序 sample.sys 在例程栏中发生崩溃Driver sample.sys crashed in routine bar

内核模式崩溃的错误报告包含在崩溃时生成的小型转储文件和在计算机重新启动并即将发送错误报告时生成的 XML 文件。An error report for a kernel-mode crash consists of a minidump file generated at the time of the crash and an XML file generated when the computer restarts and is about to send the error report.

Windows 停止响应时,它将还原到低级疑难解答模式。When Windows stops responding, it reverts to a low-level troubleshooting mode. 在此模式下,可以捕获到包含低级操作系统数据结构的转储文件,这些结构可以识别崩溃时计算机中发生的情况。In this mode, a dump file is captured that contains low-level operating system data structures that identify what was happening in the computer at the time of the crash. 这些数据结构包括崩溃时处理器正在执行的功能、CPU 注册状态以及堆栈、线程和进程信息。These data structures include the functions being executed by the processor at the time of the crash, the CPU register state, and stack, thread, and process information. 可以在调试程序中查看此数据,也可以将它用来识别错误组件。This data can be viewed in a debugger and used to identify the faulting component.

转储文件还包含崩溃时计算机中加载的所有驱动程序的列表。The dump file also contains the list of all drivers loaded in the computer at the time of the crash. 调试程序使用此数据来决定需要加载哪些驱动程序映像和符号来调试崩溃。This data is used by the debugger to determine which driver images and symbols need to be loaded to debug the crash. 模块列表也可以帮助确定计算机上是否在运行已知损坏的或过时的驱动程序。The list of modules also helps determine whether known bad or outdated drivers are running on the computer.

从 Windows XP Service Pack 1 (SP1) 开始,转储文件已得到改进,以允许驱动程序在可以用于疑难解答的崩溃转储文件中存储信息。Starting with Windows XP Service Pack 1 (SP1), the dump files have been enhanced to allow a driver to store information in the crash dump file that can be used for troubleshooting. 从驱动程序中收集崩溃数据的例程是 KeRegisterBugCheckCallbackThe routine for collecting crash data from a driver is KeRegisterBugCheckCallback.

对用户模式崩溃进行分类Classifying User-Mode Crashes

根据下列参数对用户模式崩溃进行分类:User-mode crashes are classified according to the following parameters:

  1. 应用程序名称 - 例如,winword.exeApplication name — for example, winword.exe

  2. 应用程序版本 - 例如,10.0.2627.0Application version — for example, 10.0.2627.0

  3. 模块名称 - 例如,mso.dllModule name — for example, mso.dll

  4. 模块版本 - 例如,10.0.2613.1Module version — for example, 10.0.2613.1

  5. 进入模块的偏移 - 例如,00003cbbOffset into module — for example, 00003cbb

用户模式崩溃的 .cab 文件包括这些信息以及一个小型转储文件。The .cab files for user-mode crashes include such information plus a minidump file. 用户模式崩溃的小型转储文件包含发生崩溃时进程的状态(特别是应用程序中每个线程的注册和堆栈)。The minidump file for user-mode crashes contains the state of the process at the time the crash occurred—specifically, the registers and stack for every thread in the application. 使用此信息来识别哪些应用程序组件导致了崩溃。This information is used to identify which application component caused the crash. 小型转储文件还包含崩溃时应用程序中加载的所有模块的列表,以便可以获取有关在该过程中加载的每个模块的信息以及获取每个模块的符号。The minidump also includes a list of all modules loaded in the application at the time of the crash, so you can get information about each module loaded in the process and to get symbols for each of these modules.

错误分类资源Error classification resources

WER 资源WER resources

向 Microsoft 发送有关该主题的评论Send comments about this topic to Microsoft