Windows Operating System
Windows Error Reporting
Fault bucket %1, type %2%nEvent Name: %3%nResponse: %4%nCab Id: %5%n%nProblem signature:%nP1: %6%nP2: %7%nP3: %8%nP4: %9%nP5: %10%nP6: %11%nP7: %12%nP8: %13%nP9: %14%nP10: %15%n%nAttached files:%16%n%nThese
files may be available here:%n%17%n%nAnalysis symbol: %18%nRechecking for solution: %19%nReport Id: %20%nReport Status: %21
The 1001 event is logged by the Windows Error Reporting infrastructure
reports (for example, application crashes, hangs, and generic reports).
The event contains a summary of the report's signatures, Windows Error Reporting
bucket information, and other fields that describe the state of the report. This event
is logged in the Application event log.
Event 1001 is logged at any time the report transitions state (that is, goes to
the queue and comes out of the queue). Thus, it is possible to see multiple
1001 events for the same report.
The following table explains the event message contents.
Field Value Type
The Windows Error Reporting bucket number (32-bit integer) or an OCA bucket string.
If there was an error submitting the event, the Windows Error Reportingservers will return a phony bucket value from the following list:
Bucket=3: S2_SelectBucket returned blank/null iBucket (all tables)
Bucket=4: S2_SelectBucket has nonzero return code (all tables)
Bucket=5: S2_SelectBucket err'ed twice (all tables)
Bucket=6: Can't open SQL; connection failure (all tables)
Bucket=7: BucketGeneric, unregistered EventType (generic only)Bucket=8: BucketGeneric, no parms (P1 is missing) (generic only)
Bucket=9: fNoSQL=1 (all tables)
Bucket=10: Generic bucket NetworkDiagnosticsFramework/aspnet (generic only)
The bucket table (that is, the Fault bucket type) for phony error bucket numbers is 5.
Integer, as a decimal string
The Windows Error Reporting bucket table that houses the bucket. The bucket table mappings are:
2: Setup buckets
3: Crash64 buckets
4: Generic reports
Report's event name. This is not localized.
Response string from the Windows Error Reporting server, or the string "Not available" if no response was received. The "Not available" string is localized.
32-bit integer, as a decimal string
Windows Error Reporting back-end iCab field number. This is 0 if the server did not ask for a cabinet (.cab) file or did not return a .cab file number, or if the .cab file was not uploaded
because of data-throttling.
6 to 15
Report signature strings (that is, bucketing parameters). The message can report up to ten strings. The content of these strings depends on the report.
String, full file paths
Field 16: List of full paths to all files that are attached to the report.
Field 17: Path to the directory (somewhere in WER's report store) potentially housing these files.
OCA BUCKET response string. It only exists for blue-screen and live kernel reports (they go to OCA, not to Windows Error Reporting). This should be the same as Field 1 (fault bucket) for kernel
Rechecking for solution
Integer, as a string
If the report is being resubmitted from the archive (it was submitted before and the user is resubmitting it to check for a response or solution), then this value is 1. Otherwise, it is 0.
String, GUID or timestamp
The unique ID of the report. For application crashes, you can use this value to correlate the 1001 event with the 1000 event or the 1002 event.
For kernel reports, this is a minidump-style time stamp.
Otherwise, this is usually a GUID.
32-bit integer bitmap, as a decimal string
New in Windows 7.
The bitmap is broken down in the following section.
The report status bitmap is Field 21 in the 1001 event, and it is written
as a decimal string. It flags significant events and states relevant to
Windows Error Reporting reports.
The following table breaks down all possible flags.
The report was cancelled by
No network connectivity was detected
according to the SENS API IsNetworkAlive
(NETWORK_ALIVE_LAN | NETWORK_ALIVE_WAN).
The report was queued for whatever reason,
for example, for policy settings, lack of network
connectivity, report submission flags.
This flag is not set if the report was in the queue
and then it was reported out of the queue (such as service process crashes).
Set whenever the server requests data to be collected.
Set whenever the computer is in the rights account certificate (RAC) sample for data collection. This is True if the current computer time is before the time that is recorded in HKLM\SOFTWARE\Microsoft\Reliability\Analysis\RAC\RacWerSampleTime.
Set whenever the stage 1 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200 or 404. For example, if the server returned 500, stage 1 is considered a failure.
Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name,
could not connect, or the request timed out).
Any other failure in the Windows HTTP (WinHTTP) network stack.
Set whenever the stage 2 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200.
Set whenever the stage 3 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200 or 201 (object created).
Set whenever the stage 4 exchange with Windows Error Reporting fails:
Set whenever the stage 5 exchange with Windows Error Reporting fails:
HTTP status codes are not looked at for failure.
Set whenever cabbing fails. A .cab file is created by using the FCI Cabinet APIs.
If the AppRecorder false discovery rate (FDR) plug-ins are active and deem that no .cab file should be generated (by setting an internal WER_INTERNAL_NO_CAB report flag), then no .cab file
will be generated, although this bit will not be set.
Set whenever an initial consent dialog is shown and cancelled.
For kernel-mode reports, setting the DontSendAdditionalData registry setting will automatically decline the initial consent dialog, and set this flag.
A non-interactive report that is submitted with a consent status WerConsentDenied, will also automatically decline the initial consent, and set this flag.
Windows Error Reporting:
Online Crash Analysis: http://oca.microsoft.com/en/dcp20.asp