다음을 통해 공유


Event ID 1001: Windows Error Reporting

Applies To

Windows Server 2008, Windows Server 2008 R2, Windows 7

Details

Product:

Windows Operating System

Event ID:

1001

Source:

Windows Error Reporting

Version:

6.1

Symbolic Name:

WER_EL_BUCKET_LOG

Message:

Fault bucket %1, type %2%nEvent Name: %3%nResponse: %4%nCab Id: %5%n%nProblem signature:%nP1: %6%nP2: %7%nP3: %8%nP4: %9%nP5: %10%nP6: %11%nP7: %12%nP8: %13%nP9: %14%nP10: %15%n%nAttached files:%16%n%nThese files may be available here:%n%17%n%nAnalysis symbol: %18%nRechecking for solution: %19%nReport Id: %20%nReport Status: %21

The 1001 event is logged by the Windows Error Reporting infrastructure for all

reports (for example, application crashes, hangs, and generic reports).

The event contains a summary of the report's signatures, Windows Error Reporting

bucket information, and other fields that describe the state of the report. This event

is logged in the Application event log.

Event 1001 is logged at any time the report transitions state (that is, goes to

the queue and comes out of the queue). Thus, it is possible to see multiple

1001 events for the same report.

The following table explains the event message contents.

Field Position

Field Name

Field Value Type

Notes

1

Fault bucket

String

The Windows Error Reporting bucket number (32-bit integer) or an OCA bucket string.

If there was an error submitting the event, the Windows Error Reportingservers will return a phony bucket value from the following list:

 

Bucket=3: S2_SelectBucket returned blank/null iBucket (all tables)

 

Bucket=4: S2_SelectBucket has nonzero return code (all tables)

 

Bucket=5: S2_SelectBucket err'ed twice (all tables)

 

Bucket=6: Can't open SQL; connection failure (all tables)

 

Bucket=7: BucketGeneric, unregistered EventType (generic only)Bucket=8: BucketGeneric, no parms (P1 is missing) (generic only)

 

Bucket=9: fNoSQL=1 (all tables)

 

Bucket=10: Generic bucket NetworkDiagnosticsFramework/aspnet (generic only)

 

The bucket table (that is, the Fault bucket type) for phony error bucket numbers is 5.

2

type

Integer, as a decimal string

The Windows Error Reporting bucket table that houses the bucket. The bucket table mappings are:

1:Crash32 buckets

2: Setup buckets

3: Crash64 buckets

4: Generic reports

3

Event Name

String

Report's event name. This is not localized.

4

Response

String

Response string from the Windows Error Reporting server, or the string "Not available" if no response was received. The "Not available" string is localized.

5

Cab Id

32-bit integer, as a decimal string

Windows Error Reporting back-end iCab field number. This is 0 if the server did not ask for a cabinet (.cab) file or did not return a .cab file number, or if the .cab file was not uploaded because of data-throttling.

6 to 15

Problem signature

Ten strings

Report signature strings (that is, bucketing parameters). The message can report up to ten strings. The content of these strings depends on the report.

16, 17

Attached files

String, full file paths

Field 16: List of full paths to all files that are attached to the report.

Field 17: Path to the directory (somewhere in WER's report store) potentially housing these files.

18

Analysis symbol

String

OCA BUCKET response string. It only exists for blue-screen and live kernel reports (they go to OCA, not to Windows Error Reporting). This should be the same as Field 1 (fault bucket) for kernel reports.

19

Rechecking for solution

Integer, as a string

If the report is being resubmitted from the archive (it was submitted before and the user is resubmitting it to check for a response or solution), then this value is 1. Otherwise, it is 0.

20

Report Id

String, GUID or timestamp

The unique ID of the report. For application crashes, you can use this value to correlate the 1001 event with the 1000 event or the 1002 event.

For kernel reports, this is a minidump-style time stamp.

Otherwise, this is usually a GUID.

21

Report Status

32-bit integer bitmap, as a decimal string

New in Windows 7.

The bitmap is broken down in  the following section.

 

Report status bitmap

The report status bitmap is Field 21 in the 1001 event, and it is written

as a decimal string. It flags significant events and states relevant to troubleshooting

Windows Error Reporting reports.

The following table breaks down all possible flags.

Flag Name

Bit Position

Hexadecimal Mask

Decimal Mask

Notes

REPORT_CANCELLED

0

0x01

1

The report was cancelled by
the user.

REPORT_NO_NETWORK

1

0x02

2

No network connectivity was detected

according to the SENS API IsNetworkAlive

(NETWORK_ALIVE_LAN | NETWORK_ALIVE_WAN).

REPORT_QUEUED

2

0x04

4

The report was queued for whatever reason,

for example, for policy settings, lack of network

connectivity, report submission flags.

This flag is not set if the report was in the queue
and then it was reported out of the queue (such as service process crashes).

REPORT_SERVER_REQUEST

3

0x08

8

Set whenever the server requests data to be collected.

REPORT_IN_RAC_SAMPLE

4

0x10

16

Set whenever the computer is in the rights account certificate (RAC) sample for data collection. This is True if the current computer time is before the time that is recorded in HKLM\SOFTWARE\Microsoft\Reliability\Analysis\RAC\RacWerSampleTime.

REPORT_STAGE1_FAILED

5

0x20

32

Set whenever the stage 1 exchange with Windows Error Reporting fails:

 

The HTTP exchange succeeded, but the server returned a response other than 200 or 404. For example, if the server returned 500, stage 1 is considered a failure.

Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).

Any other failure in the Windows HTTP (WinHTTP) network stack.

REPORT_STAGE2_FAILED

6

0x40

64

Set whenever the stage 2 exchange with Windows Error Reporting fails:

 

The HTTP exchange succeeded, but the server returned a response other than 200.

Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).

 

 

Any other failure in the Windows HTTP (WinHTTP) network stack.

 

REPORT_STAGE3_FAILED

7

0x80

128

Set whenever the stage 3 exchange with Windows Error Reporting fails:

 

The HTTP exchange succeeded, but the server returned a response other than 200 or 201 (object created).

Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).

Any other failure in the Windows HTTP (WinHTTP) network stack.

 

 

REPORT_STAGE4_FAILED

8

0x100

256

Set whenever the stage 4 exchange with Windows Error Reporting fails:

 

The HTTP exchange succeeded, but the server returned a response other than 200.

Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).

Any other failure in the Windows HTTP (WinHTTP) network stack.

 

 

 

REPORT_STAGE5_FAILED

9

0x200

512

Set whenever the stage 5 exchange with Windows Error Reporting fails:

 

HTTP status codes are not looked at for failure.

Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).

Any other failure in the Windows HTTP (WinHTTP) network stack.

 

 

REPORT_CABBING_FAILED

10

0x400

1024

Set whenever cabbing fails. A .cab file is created by using the FCI Cabinet APIs.

If the AppRecorder false discovery rate (FDR) plug-ins are active and deem that no .cab file should be generated (by setting an internal WER_INTERNAL_NO_CAB report flag), then no .cab file will be generated, although this bit will not be set.

INITIAL_CONSENT_DECLINED

11

0x800

2048

Set whenever an initial consent dialog is shown and cancelled.

For kernel-mode reports, setting the DontSendAdditionalData registry setting will automatically decline the initial consent dialog, and set this flag.

A non-interactive report that is submitted with a consent status WerConsentDenied, will also automatically decline the initial consent, and set this flag.

Additional Resources