#define private public - Think globally, dump locally (27 Jun 2007)

topic end
<!--
   * Set TOPICTITLE = #define private public - Think globally, dump locally (27 Jun 2007)
-->

<style type="text/css">
pre {background-color:#ffeecc;}
</style>

%STARTINCLUDE%
<a name="27"></a>

---+++ [[DefinePrivatePublic20070627][Think globally, dump locally]] (27 Jun 2007)

<img src="%ATTACHURLPATH%/localdump.png" alt="localdump.png"  width="350" height="218" align="right" />
<summary>These days, I spend quite some time in Microsoft's [[http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=1429&SiteID=1][Windows Error Reporting]] 
forum, which is where [[http:/www.dcsoft.com][David Ching]], who is a Microsoft MVP, posed 
an interesting problem this week.</summary>

On Vista, Windows Error Reporting will create and transmit minidump files only if the WER 
servers request them. At least this seems to be the default behavior which both David and I have
observed on Vista systems. David, however, wanted to make sure that whenever an application
crashes, a minidump file is generated which the user or tester can then send directly 
to the developers of the application for analysis - even if Microsoft's WER servers 
never actually request the minidumps, which, as far as I can tell, is the default 
for applications which have not been explicitly registered with and mapped 
at [[http://winqual.microsoft.com][Winqual]].

My first idea was to force the system into queuing mode. When crash reports are queued,
minidumps are always generated and stored locally, so that they can be transmitted to
the error reporting server later on. Queuing is enabled by setting
=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue=
(=DWORD=) to 1. (See 
[[http://msdn2.microsoft.com/en-us/library/aa363489.aspx][WER Settings]] 
for documentation on this and other WER-related registry keys.)
Crash report data will be stored in directories such as 
=c:\Users\someusername\AppData\Local\temp= and =C:\ProgramData\Microsoft\Windows\WER\ReportQueue=.

That works, but it also suppresses the WER UI, which isn't ideal either. Isn't 
there some way to have the cake and eat it, too?

Let's see: A variation of the above approach is to disable the Internet connection before 
the crash occurs. You'll get the dialogs, but WER won't be able to connect to the Microsoft 
servers, and so it should then also queue the crash information. Alternatively, 
and this is something that I have tried myself a few times, you could set
=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\CorporateWERServer=
(string) to the name of some non-existing system. When a crash occurs, WER will try 
to contact that server, find that it's not responding, and then store all crash data 
locally so that it can be re-sent when the connection is later established.

Or you could go all the way and actually install such a Corporate Error Reporting server 
on one of your systems. Probably one of the best solutions, since this gives you
direct access to minidump files within your organization.

But this blog isn't about IT, it's about hacking and coding ;) Here's an idea
how David's goals could be accomplished without implementing a full-blown
crash handler:

   * Call [[http://msdn2.microsoft.com/en-us/library/ms680634.aspx][SetUnhandledExceptionFilter()]]
     to register a top-level exception filter function
   * In that exception filter, call 
     [[http://msdn2.microsoft.com/en-us/library/ms680360.aspx][MiniDumpWriteDump()]] 
     to create a local minidump file.
   * Return from the filter with =EXCEPTION_CONTINUE_SEARCH=.

And here's the demo code which demonstrate this technique:

<pre>
<font color="#0000ff">// Demo program using SetUnhandledExceptionFilter() and</font>
<font color="#0000ff">// MiniDumpWriteDump().</font>
<font color="#0000ff">//</font>
<font color="#0000ff">// Claus Brod, <a href="http://www.clausbrod.de/Blog">http://www.clausbrod.de/Blog</a></font>

<font color="#a020f0">#include </font><font color="#ff00ff">&lt;windows.h&gt;</font>
<font color="#a020f0">#include </font><font color="#ff00ff">&lt;DbgHelp.h&gt;</font>
<font color="#a020f0">#pragma comment(lib, </font><font color="#ff00ff">&quot;DbgHelp.lib&quot;</font><font color="#a020f0">)</font>
<font color="#a020f0">#include </font><font color="#ff00ff">&lt;stdio.h&gt;</font>

<font color="#2e8b57"><b>static</b></font> LONG WINAPI myfilter(_EXCEPTION_POINTERS *exc_ptr)
{
  <font color="#2e8b57"><b>static</b></font> <font color="#2e8b57"><b>const</b></font> <font color="#2e8b57"><b>char</b></font> *minidumpFilename = <font color="#ff00ff">&quot;myminidump.mdmp&quot;</font>;
  HANDLE hDumpFile = CreateFile(minidumpFilename, GENERIC_WRITE, <font color="#ff00ff">0</font>, <font color="#ff00ff">NULL</font>,
    CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, <font color="#ff00ff">NULL</font>);

  <font color="#804040"><b>if</b></font> (hDumpFile != INVALID_HANDLE_VALUE) {
    __try {
      MINIDUMP_EXCEPTION_INFORMATION exceptionInfo;
      exceptionInfo.ThreadId = GetCurrentThreadId();
      exceptionInfo.ExceptionPointers = exc_ptr;
      exceptionInfo.ClientPointers = <font color="#ff00ff">false</font>;

      BOOL ret = MiniDumpWriteDump(GetCurrentProcess(),
        GetCurrentProcessId(), hDumpFile, MiniDumpNormal, &amp;exceptionInfo, <font color="#ff00ff">NULL</font>, <font color="#ff00ff">NULL</font>);
      <font color="#804040"><b>if</b></font> (ret) {
        printf(<font color="#ff00ff">&quot;Minidump information has been written to </font><font color="#6a5acd">%s</font><font color="#ff00ff">.</font><font color="#6a5acd">\n</font><font color="#ff00ff">&quot;</font>, minidumpFilename);
      }
    } __except(EXCEPTION_EXECUTE_HANDLER) { }
    CloseHandle(hDumpFile);
  }

  <font color="#804040"><b>return</b></font> EXCEPTION_CONTINUE_SEARCH;
}

<font color="#2e8b57"><b>static</b></font> <font color="#2e8b57"><b>int</b></font> wedding_crasher(<font color="#2e8b57"><b>int</b></font> *pp)
{
  *pp = <font color="#ff00ff">42</font>;
  <font color="#804040"><b>return</b></font> <font color="#ff00ff">42</font>;
}

<font color="#2e8b57"><b>int</b></font> main(<font color="#2e8b57"><b>void</b></font>)
{
  SetUnhandledExceptionFilter(myfilter);

  wedding_crasher(<font color="#ff00ff">0</font>);
  <font color="#804040"><b>return</b></font> <font color="#ff00ff">0</font>;
}
</pre>

And finally, here's a _really_ weird idea from Dmitry Vostokov:
[[http://www.dumpanalysis.org/blog/index.php/2007/05/19/resurrecting-dr-watson-on-vista/][Resurrecting Dr. Watson on Vista]] ;) If you're into exception handling and crash analysis, Dmitry's
http://www.dumpanalysis.org/ web site is a fantastic resource. This guy _lives_
in an exception filter :D

---

%STOPINCLUDE%

%COMMENT{type="below" nonotify="on"}%

---
to top
End of topic
Skip to action links | Back to top
You are here: Blog > DefinePrivatePublic20070627

r1.6 - 20 Sep 2007 - 06:11 - ClausBrod to top
Blog