Windows Error Reporting and Internet Communication

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Windows Error Reporting

  • How Windows Error Reporting communicates with sites on the Internet

  • How to control Windows Error Reporting to prevent the flow of information to and from the Internet

Benefits and Purposes of Windows Error Reporting

The Windows Error Reporting feature in Microsoft Windows Server 2003 provides a service that allows Microsoft to track and address errors relating to the operating system, Windows components, and applications. This service, called the Error Reporting service, gives administrators and users the opportunity to send data about errors to Microsoft and to receive information about them. Microsoft developers can use the Error Reporting service as a problem-solving tool to address customer problems in a timely manner and to improve the quality of Microsoft products.

When users or administrators send information to Microsoft, in some cases Microsoft may provide information in return, such as a way to work around a problem or a link to a Web site for updated drivers, patches, or Microsoft Knowledge Base articles.

Overview: Using Windows Error Reporting in a Managed Environment

In Windows Server 2003 with Service Pack 1 (SP1), error reporting is enabled by default and you can choose to report errors to Microsoft. When an error occurs, a dialog box is displayed allowing you to report the problem. If you choose to report the problem, technical information about the problem is collected and then sent to Microsoft over the Internet. No information is sent unless you confirm that the error report is to be sent to Microsoft. When you are logged on as an administrator, you can choose to report system and application errors. When you are not logged on as an administrator you can choose to report application errors.

On Windows Server 2003 with SP1, you can configure or disable error reporting through Control Panel\System\Advanced. You can configure error reporting to send specified information such as system errors (Stop errors) only, or errors for Windows components, such as Windows Explorer or Microsoft Internet Explorer. You can also send information for applications, such as Microsoft Word.

Since error reporting is a valuable service, we recommend that IT administrators not disable it, but that they control what information is reported and where it is sent. For an organization where privacy is a concern, we recommend that the IT department review and filter error reports before they are sent to Microsoft. Though it is not recommended, you can also completely disable error reporting by using Group Policy.

The best method to use to prevent the automatic flow of error reporting information to and from the Internet is to redirect error reports to a server on your intranet by using Group Policy and to set up Corporate Error Reporting (CER).If you have Software Assurance with your volume license, you can use the Corporate Error Reporting tool to manage error reports that have been redirected to a network server. You use the tool to review the redirected error reports and then filter the reports that are sent to Microsoft based on your policies and the data contained within the error report. The tool is also useful for determining the types of problems users are experiencing most often.

If you have not yet deployed Windows Server 2003 with SP1, you can use unattended installation files to configure error reporting in the same way as in Group Policy. If it is necessary in your organization to completely disable Windows Error Reporting, you can do so with the unattended installation file or with Group Policy. For more information about these methods, see "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet," later in this section.

How Windows Error Reporting Communicates with Sites on the Internet

The data that Microsoft collects is used strictly for the purpose of tracking down and solving problems that users are experiencing. The information is stored on servers at Microsoft with limited access that are located in controlled facilities. This subsection describes various aspects of the data that is sent to and from the Internet during error reporting, and how the exchange of information takes place.

  • Specific information sent or received: For Windows Server 2003 with SP1, Microsoft collects various types of information related to two types of errors, user mode or application errors, and kernel mode or operating system failures. Some information that uniquely identifies the user might unintentionally be collected as part of the crash report. This information, if present, is never used to identify a user. The specific data collected is described later in this subsection. Also, Microsoft may send information about a problem, including links to Web sites.

  • Default and recommended settings: Error reporting for application and system errors is enabled by default on servers running Windows Server 2003 with SP1. For more information about recommended settings, see "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet," later in this section.

  • Triggers: The opportunity to send an error report is triggered by application or system errors.

  • User notification: A dialog box appears notifying users that an error has occurred and asks if they want to send an error report to Microsoft. Users can review the data that will be sent.

  • Logging: Descriptions of system and application errors are recorded in the event log.

  • Encryption: All data that could include personally identifiable information is encrypted (HTTPS) during transmission. The "crash signature," which includes such information as the application name and version, module name and version, and offset (location) is not encrypted.

  • Access: Microsoft employees and contingent staff may access the error reports to maintain the Error Reporting service or improve Microsoft products, and may not use the reports for other purposes.

    If the error report indicates that one or more non-Microsoft products were involved in causing the problem, Microsoft may send the report to the respective companies. Qualified software or hardware developers (employed by Microsoft or one of its partners) will analyze the fault data and try to identify and correct the problem.

  • Privacy: The privacy statement for Microsoft Error Reporting is located at the following Web site:

    https://go.microsoft.com/fwlink/?LinkId=825

    Details related to privacy of data are presented in "Types of Data Collected," later in this section.

  • Transmission protocol and port: The transmission protocol is HTTP and the ports are HTTP 80 and HTTPS 443.

  • Ability to disable: The feature can be disabled through Group Policy or by administrators on individual servers.

Types of Errors Reported

In Windows Server 2003 there are two types of errors that are reported, user mode and kernel mode.

User Mode Reporting

When a user mode error occurs, such as an application error, the Error Reporting service does the following:

  • Displays an alert stating that Windows Server 2003 detected a problem.

    Users can choose to report the problem or not. If they do report it, they will see that the information is being sent to Microsoft.

  • Sends a problem report to Microsoft.

    Users may then be queried for additional computer information (to complete the error report) and again may choose to send it or not.

  • When more information is available, offers it to the user or administrator.

    Users or administrators might be offered the option of selecting More Information, which directs them to updated drivers, patches, or Microsoft Knowledge Base articles.

If the error report indicates that one or more non-Microsoft products were involved in causing the problem, Microsoft may send the report to the respective companies. Qualified software or hardware developers (employed by Microsoft or one of its partners) will analyze the fault data and try to identify and correct the problem.

Kernel Mode Reporting

When a kernel-mode (system) error occurs, Windows Server 2003 displays a Stop message and writes diagnostic information to a memory dump file. When you restart the computer by using normal mode or Safe Mode (with networking) and log on to Windows Server 2003 as an administrator, the Error Reporting service gathers information about the problem and displays a dialog box that gives you the option of sending a report to Microsoft.

Types of Data Collected

The Error Reporting service collects information about the computer configuration, what the software was doing when the problem occurred, and other information directly related to the problem. The Error Reporting service does not intentionally collect anyone’s name, address, e-mail address, computer name, or any other form of personally identifiable information. It is possible that such information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify users. The Error Reporting service collects Internet Protocol (IP) addresses, but the addresses are not used to identify users, and in many cases are the address of a Network Address Translation (NAT) computer or proxy server, not a specific client behind that NAT computer or proxy server. IP address information is used in aggregate by the operators who maintain the servers that receive error reports. The other use for IP address information is to locate error reports that come from computers inside Microsoft—errors on those computers can be more thoroughly investigated as needed.

In rare cases, such as problems that are especially difficult to solve, Microsoft may request additional data, including sections of memory (which may include memory shared by any or all applications running at the time the problem occurred), some registry settings, and one or more files from the user’s computer. When additional data is requested, the user can review the data and choose to send the information or not.

In Windows Server 2003 with SP1 the specific types of data that are collected when application errors or kernel failures occur are as follows.

Application Errors

If an application error occurs for which Error Reporting is available and you choose to send the report, the information included is as follows:

  • The Digital Product ID, which can be used to identify your license.

  • Information regarding the condition of the computer and the application at the time when the error occurred. This includes data stored in memory and stacks, information about files in the application's directory, as well as the operating system version and the computer hardware in use. This information is packaged into a minidump—a small memory dump. The minidump contains the following:

  • Exception information: This is information regarding the problem that occurred. It tells Microsoft what kind of instruction the application received that caused it to generate an error.

  • System information: This is data about the kind of CPU (processor) you have and what operating system you are running.

  • A list of all the modules that are currently loaded and their version information.

  • A list of all the threads that are currently running. For each thread, the current context and the whole stack are collected.

  • Global data.

The minidump data is shown as a hexadecimal representation that the user cannot read.

Note

For the exact specification of the minidump format, see the Microsoft Platform SDK, which is available on the MSDN Web site.

Windows Kernel Failures

Windows kernel fault reports contain information about what your operating system was doing when the problem occurred. These event reports contain the minimum information that can help to identify why the operating system stopped unexpectedly. If you choose to send the report, it includes:

  • The operating system name (for example, Microsoft Windows Server 2003).

  • The operating system version (for example, 5.1.2600 0.0).

  • The operating system language as represented by the locale identifier (LCID) (for example, 1033 for United States English). This is a standard international numeric abbreviation.

  • The loaded and recently unloaded drivers. These identify the modules used by the kernel when the Stop error occurred, and the modules that were used recently.

  • The list of drivers in the Drivers folder on your hard disk (systemroot\System32\Drivers).

  • The file size, date created, version, manufacturer, and full product name for each driver.

  • The number of available processors.

  • The amount of random access memory (RAM).

  • The time stamp that indicates when the Stop error occurred.

  • The messages and parameters that describe the Stop error.

  • The processor context for the process that stopped. This includes the processor, hardware state, performance counters, multiprocessor packet information, deferred procedure call information, and interrupts (requests from software or devices for processor attention).

  • The process information and kernel context for the halted process. This includes the offset (location) of the directory table and the database that maintains the information about every physical page (block of memory) in the operating system.

  • The process information and kernel context for the thread that stopped. This information identifies registers (data-storage blocks of memory in the processor) and interrupt request levels, and includes pointers to data structures for operating system data.

  • The kernel-mode call stack for the interrupted thread. This is a data structure that consists of a series of memory locations and one or more pointers.

Controlling Error Reporting to Prevent the Flow of Information to and from the Internet

To prevent the automatic flow of information to and from the Internet when users and administrators report errors, you can configure error reporting in two ways: while deploying Windows Server 2003 using answer files with unattended or remote installation, or after deployment using Group Policy. There may be some aspects of error reporting that you want to configure using answer files, and others you may want to configure using Group Policy. Review the tables in this subsection to determine the configuration options that will work best for your organization.

Using Unattended Installation

You can configure error reporting by using standard methods for unattended or remote installation. You use the [PCHealth] section of an answer file to make entries for this feature. The following table describes those entries.

Entries for Configuring Error Reporting in an Answer File (for Unattended Installation)

Entry Description

ER_Display_UI

Specifies whether Setup notifies the user that an error has occurred and shows details about the error. When the entry is ER_Display_UI = 0, Setup does not notify the user that an error has occurred.

ER_Enable_Applications

ER_Include_EXE(n)

and

ER_Exclude_EXE(n)

ER_Enable_Applications = All

Reports errors for all applications except for those listed in ER_Exclude_EXE(n).

ER_Enable_Applications = Listed

Reports errors only for those applications listed in ER_Include_EXE(n). You can automatically include Microsoft applications by using ER_Include_MSApps.

ER_Enable_Applications = None

Reports no application errors.

Examples of entries that list included applications are:

ER_Include_EXE1 = iexplore.exe

ER_Include_EXE2 = explorer.exe

Examples of entries that list excluded applications are:

ER_Exclude_EXE1 = calc.exe

ER_Exclude_EXE2 = notepad.exe

ER_Enable_Kernel Errors

Specifies whether Windows reports errors in the Windows kernel. When the entry is ER_Enable_Kernel Errors = 0, Windows does not report errors in the Windows kernel.

ER_Enable_Reporting

Specifies whether Windows automatically reports errors. When the entry is ER_Enable_Reporting = 0, Windows does not report errors.

ER_Enable_Windows_ Components

Specifies whether to report errors in Windows components. When the entry is ER_Enable_Windows_Components = 0, Windows does not report errors in Windows components. To exclude individual Windows components, use ER_Exclude_EXE(n), as described earlier in this table.

ER_Force_Queue_Mode

Specifies whether to send all reports in queue mode. When the entry is ER_Force_Queue_Mode = 0, Windows does not send reports in queue mode.

ER_Include_MSApps

Specifies whether to track and report errors in Microsoft applications. When the entry is ER_Include_MSApps = 0, errors in Microsoft applications are not tracked and are not reported.

ER_Include_Shutdown_ Errs

Specifies whether to report shutdown errors. When the entry is ER_Include_Shutdown_Errs = 0, shutdown errors are not reported.

For complete details about the entries for error reporting, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment. Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Using Group Policy

You can use Group Policy to disable Windows Error Reporting, or you can use it to redirect error reports to a server on your intranet, after which you can enable Corporate Error Reporting. By controlling error reporting through Group Policy, you override actions users may take.

This subsection includes a list of the settings in both the Error Reporting policy and the Advanced Error Reporting policy.

Error Reporting Policy Settings

The error reporting policy settings that you configure for Corporate Error Reporting are located at Computer Configuration\Administrative Templates\System\Error Reporting. The following list describes the policy settings.

  • Configure Error Reporting, enabled: Errors are reported to Microsoft through the Internet or to a server on your intranet. Enabling Configure Error Reporting will override any error reporting settings made using Control Panel. Default values will be used for any error reporting settings that are not configured, even if settings were adjusted through Control Panel.

    In Configure Error Reporting, you can select the following:

    • Do not display links to any Microsoft provided "more information" web sites

    • Do not collect additional files

    • Do not collect additional machine data

    • Force queue mode for application errors

    In Configure Error Reporting, you can enter:

    • Corporate upload file path

    • Text with which to replace instances of the word "Microsoft"

  • Configure Error Reporting, disabled: Users will not be given the option to report errors. If Display Error Notification is enabled, users will still get a message indicating that a problem occurred, but they will not have the option to report it.

  • Configure Error Reporting, not configured: A person logged in as an administrator will be able to adjust the setting using Control Panel, which is set to "Enable error reporting" by default on Windows Server 2003 SP1.

  • Display Error Notification, enabled: This setting controls whether a user is given the choice to report an error. When enabled, the user will be notified that an error has occurred and will be given access to details about the error.

  • Display Error Notification, disabled: The user is not given the choice of whether to report the error. If Configure Error Reporting is enabled, the error will be automatically reported, but the user will not be notified that an error has occurred.

  • Display Error Notification, not configured: A person logged in as an administrator will be able to adjust the setting through Control Panel, which is set to enable notification by default.

Advanced Error Reporting Policy Settings

When you enable error reporting, you can choose to specify the types of errors that are reported. In a highly managed environment, administrators might want to do this based on the kinds of information included in the error report (see "Types of data collected," in the previous subsection).

With Advanced Error Reporting settings you can configure the following policy settings:

  • Default application reporting settings

  • List of applications to always report errors for

  • List of applications to never report errors for

  • Report operating system errors

  • Report unplanned shutdown events

These policy settings are located in Computer Configuration\Administrative Templates\System\Error Reporting. When you configure these policy settings, they will override any adjustments to error reporting that administrators might make through Control Panel.

To find more information about editing Group Policy, see Appendix B: Resources for Learning About Group Policy.

How Controlling Error Reporting Can Affect Administrators

What administrators will see on a server when an error occurs depends on how you have configured the Error Reporting policy settings. Depending on which policy settings you have enabled and which options you have configured, you can have administrators input varying amounts of information during error reporting, or none at all. You can choose not to have any user interface when a fault occurs, or, you can have a notification that an error has occurred, but not allow for the opportunity to send a report.

Another factor in how the user interface is affected is how you have configured the following policy settings: List of applications to always report errors for and List of applications to never report errors for. For more information about these policy settings, see "Procedures for Configuring Error Reporting" and "Related Links," later in this section.

The following table presents two examples of what the user will see when an error occurs if you have enabled the Error Reporting policy settings and if you have entered a path to a server. The first option presents the recommended policy settings.

How Sending Error Reports to an Intranet Server Affects the User Interface

Configuration Options User Interface

Configure Error Reporting enabled; Corporate file path entered; Display Error Notification enabled

  • User is notified that an error occurred

  • User might be asked for additional data

  • Reports go to an intranet server

Configure Error Reporting enabled; Corporate file path entered; Display Error Notification not enabled

  • No user interface

  • Reports automatically go to an intranet server

Procedures for Configuring Error Reporting

The following procedures explain how to:

  • Use the Configure Error Reporting policy setting so error reports are sent to a server on your intranet instead of to Microsoft, so you can then use the Corporate Error Reporting tool to filter reports.

  • Locate the Group Policy settings for configuring error reporting.

  • Locate the Group Policy setting for disabling error reporting.

  • Prevent error reporting by using an answer file for unattended installation.

To Enable Corporate Error Reporting

  1. As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, and then click Error Reporting.

  3. In the details pane, double-click Display Error Notification, and then click Enabled.

  4. Click Next Setting, and then under Configure Error Reporting, click Enabled.

  5. In the Corporate upload file path box, enter a UNC (Universal Naming Convention) path (\\servername\sharename).

    Note

    Administrators can then filter the error reports using the CER tool described in the previous subsection, "Controlling Error Reporting to Prevent the Flow of Information to and from the Internet."

Use the following two procedures to locate the Group Policy settings described in "Using Group Policy," earlier in this section.

To Locate Group Policy Settings for Configuring Error Reporting

  1. As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, and then click Error Reporting.

  3. View the Group Policy settings that are available. For more information about these settings, see "Error Reporting Policy Settings," earlier in this section.

  4. Click Advanced Error Reporting settings.

  5. View the advanced settings that are available. For more information about these settings, see the list in "Advanced Error Reporting Policy Settings," earlier in this section.

To Disable Windows Error Reporting by Using Group Policy

  1. See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off Windows Error Reporting, and then click Enabled.

    Important

    You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Key.

To Prevent Error Reporting by Using an Answer File for Unattended Installation

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For information about unattended installation, and for complete details about the entries for error reporting, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment. Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

  2. In the [PCHealth] section of the answer file, create entries according to the table in "Using Unattended Installation," earlier in this section. For example, to disable error reporting, the entry is:

    [PCHealth]
    ER_Enable_Reporting = 0