Windows Error Reporting (WER)
Location
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Description
Windows Error Reporting stores crash and fault data for every application or system crash, including process name, crash module, exception code, and memory snapshots. Reports persist in ReportArchive (submitted) and ReportQueue (pending) directories.
Forensic Value
WER reports capture the exact moment a process crashes, providing the faulting module name, exception offset, and timestamps that can reveal exploitation attempts or malware injection failures. The Report.wer text files include full command-line arguments and loaded module lists at crash time, making them useful for identifying malicious DLL side-loading or code injection. Memory minidumps (.mdmp) attached to reports may contain process memory at the time of the crash, potentially preserving credentials, decrypted payloads, or shellcode. Attackers rarely clear WER data, making it a valuable secondary evidence source when primary logs have been wiped.
Tools Required
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target WER
PowerShell
Get-ChildItem "C:\ProgramData\Microsoft\Windows\WER\ReportArchive" -Recurse | Copy-Item -Destination C:\output\WER\Archive\
PowerShell
Get-Content "C:\ProgramData\Microsoft\Windows\WER\ReportArchive\*\Report.wer" | Out-File C:\output\WER\all_reports.txt
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.