AppCrash-Analysis-Suite is a bunch of scripts that will help you to:
- Enable creation of crash dumps on clients or servers
- Forward event log entry each time an application crash dump was generated
- Triggering a PowerShell script that will collect the crash dump to a central server
- A PowerShell script for automatically analyzing the application crash dump using Windows Debugger
Enable application crash dumps in Windows
To enable Application dumps in Windows, some registry keys needs to be set on all client computers where you want the dumps to be generated. If you use the AppCrash-Analysis-Suite in an Active Directory managed environment, the easiest way would be to use Active Directory Group Policy Preferences (GPP).
|HKLMSOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumps|
|HKLMSOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumpsDumpCount||REG_DWORD||3|
|HKLMSOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumpsDumpType||REG_DWORD||0x2|
|HKLMSOFTWAREMicrosoftWindowsWindows Error ReportingLocalDumpsDumpFolder||REG_EXPAND_SZ||%LOCALAPPDATA%CrashDumps|
Each time an application crashes and a crash dump is being generated, a new event with Event-Id 1000 (Application Error) will be logged in the Windows Eventlog. All these events will be forwarded to a central server or workstation where the AppCrash-Analysis-Suite scripts and scheduled tasks are set up.
The “Collect-AppCrash.ps1” PowerShell script will be configured as an event-triggered scheduled task. Whenever an eventlog entry with Event-Id 1000 (Application Error) will be forwarded, the PowerShell script will be triggered. You can specify the directories, etc. using the corrosponding commandline parameters in the scheduled task:
-DestinationFolder Path to folder where to store the app crash dumps
-EventRecordID Automatic Parameter using unique EventRecordID
Analyzing crash dumps
Using the PowerShell script “Analyze-AppCrash.ps1” the collected application crash dumps can be automatically analyzed using Windows Debugger (WinDBG). Therefore you need to install Windows Debugging Tools which is part of the Windows SDK: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
The script will process all crash dumps in the specified directory (*.dmp) and extract the FAILURE_IMAGE_NAME and the PROCESS_NAME. Finally the application crash dump as well as the WinDBG output will be stored / moved in a new subfolder below the specified dump directory:
This will make it a lot easier to identify the cause or the faulting modules and forward these to the application or module vendor for a bug fix.