Collect application crash and system hang dumps using WER and manual crash keys

This article explains how to configure Windows Error Reporting (WER) to automatically capture full memory dumps for crashing or hanging applications, and how to set up manual crash keys to force a system bug check (BSOD) for capturing dumps during system hangs or freezes. These steps are particularly useful when troubleshooting intermittent application crashes, unresponsiveness, or system hangs that may involve the ThreatDown endpoint agent or its drivers.

Use Case Examples:

• ThreatDown-related BSODs or freezes where no MEMORY.DMP was generated.
• Applications (including ThreatDown services/components) crashing without producing usable dumps.
• System hangs/freeze-ups suspected to be caused by driver conflicts (e.g., EDR, Web Protection, or kernel drivers like farflt.sys, mbendpointagent.sys).

Important Notes:

• Full memory dumps require sufficient free disk space (at least the size of physical RAM + some overhead).
• Manual crash keys force a deliberate BSOD (use only on non-production and test machines or with caution).
• Always back up the registry before importing changes (File > Export in regedit).
• These settings apply system-wide and take effect immediately for WER dumps; manual crash keys require a reboot.

Task 1: Create and Import the Registry File

1. Open Notepad (or any plain text editor).
2. Copy and paste the following exact content:

Windows Registry Editor Version 5.00

; Enable local dump collection for all processes
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
"DumpFolder"="C:\\Dumps"
"DumpCount"=dword:00000010
"DumpType"=dword:00000002   ; 2 = Full dump

; Enable dumps for Application Hang (WER hang-related processes)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\svchost.exe]
"DumpType"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\werfault.exe]
"DumpType"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\RuntimeBroker.exe]
"DumpType"=dword:00000002

; Additional reliability settings for WER
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting]
"ForceQueue"=dword:00000001
"Disabled"=dword:00000000

; ------------------------------------------------------------
; Manual crash keys for SYSTEM HANG scenarios (forces bugcheck)
; Method: Hold Right CTRL and press SPACEBAR twice
; Requires reboot after applying
; ------------------------------------------------------------

; PS/2 keyboard manual crash keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\crashdump]
"Dump1Keys"=dword:00000002
"Dump2Key"=dword:0000003d

; USB keyboard manual crash keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\crashdump]
"Dump1Keys"=dword:00000002
"Dump2Key"=dword:0000003d

3. Save the file as Activate system crash and hang.reg
   1. Ensure the file type is All Files (not .txt).
   2. Save to Desktop or a convenient location.
4. Right-click the saved .reg file → Merge.
5. Approve the UAC prompt (User Account Control).
6. Click Yes to confirm adding the keys.

Task 2: Reboot the System

• A reboot is required to activate the manual crash keys (Right Ctrl + Spacebar twice).
• WER dump collection settings take effect immediately (no reboot needed for application crashes/hangs).

Task 3: Locate the dumps

All generated dumps (application crashes, hangs, and manual system crashes) will appear in:

C:\Dumps

• Files are named like: ApplicationName.exe.PID.dmp (e.g., mbam.exe.1234.dmp, svchost.exe.5678.dmp).
• System hang dumps appear as MEMORY.DMP (or similar) in the same folder if configured this way.

Task 4: Triggering Dumps

A. Automatic Collection (WER)

• If an application crashes or hangs long enough, WER automatically generates a full dump in C:\Dumps.
• No user action needed once configured.

B. Manual Application Hang Dump (No BSOD)

When an application (e.g., ThreatDown tray icon, service, or related process) becomes unresponsive:

1. Open Task Manager (Ctrl + Shift + Esc).
2. Go to the Details tab (or Processes tab in older Windows).
3. Right-click the unresponsive process (e.g., mbam.exe, mbendpointagent.exe, mfevtp.exe, etc.).
4. Select Create dump file.
5. Windows generates a .dmp file in the default location (usually the user's Desktop) or in C:\Dumps if WER is configured.

C. Manual System Hang Dump (Forces BSOD)

When the entire system freezes or becomes unresponsive and you suspect a ThreatDown driver:

1. Hold down the Right Ctrl key.
2. Quickly press the Spacebar twice (within ~1 second).
3. The system should immediately trigger a bug check (BSOD) and generate a full memory dump.
4. After restart, check C:\Dumps for the new MEMORY.DMP.

For more information, see Forcing a system crash from the keyboard

Task 5: Contact Support

Once you have captured the relevant dump(s):

1. Collect ThreatDown Endpoint Agent diagnostic logs
2. Zip the dump file(s) from C:\Dumps (full MEMORY.DMP can be very large—compress it).
3. Open a support ticket and include:
   • The dump file(s).
   • Agent diagnostic logs.
   • Description: When/how the crash/hang occurred, reproducibility, affected processes, OS version, agent version.
   • Whether it was an application crash, hang, or forced system crash.

Support can analyze the dump using WinDbg or similar tools to identify faulty drivers/modules (e.g., if a ThreatDown driver caused the exception).

Cleanup / Revert (Optional): To disable these settings later, delete the added registry keys or import a .reg file with "-" before values (e.g., "-DumpType").

Use this configuration only for troubleshooting—do not leave manual crash keys enabled on production systems long-term. Contact ThreatDown support for assistance interpreting dumps or confirming ThreatDown involvement.