Event ID 1001: Windows Error Reporting
Applies To
Windows Server 2008, Windows Server 2008 R2, Windows 7
Details
Product: |
Windows Operating System |
Event ID: |
1001 |
Source: |
Windows Error Reporting |
Version: |
6.1 |
Symbolic Name: |
WER_EL_BUCKET_LOG |
Message: |
Fault bucket %1, type %2%nEvent Name: %3%nResponse: %4%nCab Id: %5%n%nProblem signature:%nP1: %6%nP2: %7%nP3: %8%nP4: %9%nP5: %10%nP6: %11%nP7: %12%nP8: %13%nP9: %14%nP10: %15%n%nAttached files:%16%n%nThese files may be available here:%n%17%n%nAnalysis symbol: %18%nRechecking for solution: %19%nReport Id: %20%nReport Status: %21 |
The 1001 event is logged by the Windows Error Reporting infrastructure for all
reports (for example, application crashes, hangs, and generic reports).
The event contains a summary of the report's signatures, Windows Error Reporting
bucket information, and other fields that describe the state of the report. This event
is logged in the Application event log.
Event 1001 is logged at any time the report transitions state (that is, goes to
the queue and comes out of the queue). Thus, it is possible to see multiple
1001 events for the same report.
The following table explains the event message contents.
Field Position |
Field Name |
Field Value Type |
Notes |
1 |
Fault bucket |
String |
The Windows Error Reporting bucket number (32-bit integer) or an OCA bucket string. If there was an error submitting the event, the Windows Error Reportingservers will return a phony bucket value from the following list:
Bucket=3: S2_SelectBucket returned blank/null iBucket (all tables)
Bucket=4: S2_SelectBucket has nonzero return code (all tables)
Bucket=5: S2_SelectBucket err'ed twice (all tables)
Bucket=6: Can't open SQL; connection failure (all tables)
Bucket=7: BucketGeneric, unregistered EventType (generic only)Bucket=8: BucketGeneric, no parms (P1 is missing) (generic only)
Bucket=9: fNoSQL=1 (all tables)
Bucket=10: Generic bucket NetworkDiagnosticsFramework/aspnet (generic only)
The bucket table (that is, the Fault bucket type) for phony error bucket numbers is 5. |
2 |
type |
Integer, as a decimal string |
The Windows Error Reporting bucket table that houses the bucket. The bucket table mappings are: 1:Crash32 buckets 2: Setup buckets 3: Crash64 buckets 4: Generic reports |
3 |
Event Name |
String |
Report's event name. This is not localized. |
4 |
Response |
String |
Response string from the Windows Error Reporting server, or the string "Not available" if no response was received. The "Not available" string is localized. |
5 |
Cab Id |
32-bit integer, as a decimal string |
Windows Error Reporting back-end iCab field number. This is 0 if the server did not ask for a cabinet (.cab) file or did not return a .cab file number, or if the .cab file was not uploaded because of data-throttling. |
6 to 15 |
Problem signature |
Ten strings |
Report signature strings (that is, bucketing parameters). The message can report up to ten strings. The content of these strings depends on the report. |
16, 17 |
Attached files |
String, full file paths |
Field 16: List of full paths to all files that are attached to the report. Field 17: Path to the directory (somewhere in WER's report store) potentially housing these files. |
18 |
Analysis symbol |
String |
OCA BUCKET response string. It only exists for blue-screen and live kernel reports (they go to OCA, not to Windows Error Reporting). This should be the same as Field 1 (fault bucket) for kernel reports. |
19 |
Rechecking for solution |
Integer, as a string |
If the report is being resubmitted from the archive (it was submitted before and the user is resubmitting it to check for a response or solution), then this value is 1. Otherwise, it is 0. |
20 |
Report Id |
String, GUID or timestamp |
The unique ID of the report. For application crashes, you can use this value to correlate the 1001 event with the 1000 event or the 1002 event. For kernel reports, this is a minidump-style time stamp. Otherwise, this is usually a GUID. |
21 |
Report Status |
32-bit integer bitmap, as a decimal string |
New in Windows 7. The bitmap is broken down in the following section. |
Report status bitmap
The report status bitmap is Field 21 in the 1001 event, and it is written
as a decimal string. It flags significant events and states relevant to troubleshooting
Windows Error Reporting reports.
The following table breaks down all possible flags.
Flag Name |
Bit Position |
Hexadecimal Mask |
Decimal Mask |
Notes |
REPORT_CANCELLED |
0 |
0x01 |
1 |
The report was cancelled by |
REPORT_NO_NETWORK |
1 |
0x02 |
2 |
No network connectivity was detected |
REPORT_QUEUED |
2 |
0x04 |
4 |
The report was queued for whatever reason, This flag is not set if the report was in the queue |
REPORT_SERVER_REQUEST |
3 |
0x08 |
8 |
Set whenever the server requests data to be collected. |
REPORT_IN_RAC_SAMPLE |
4 |
0x10 |
16 |
Set whenever the computer is in the rights account certificate (RAC) sample for data collection. This is True if the current computer time is before the time that is recorded in HKLM\SOFTWARE\Microsoft\Reliability\Analysis\RAC\RacWerSampleTime. |
REPORT_STAGE1_FAILED |
5 |
0x20 |
32 |
Set whenever the stage 1 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200 or 404. For example, if the server returned 500, stage 1 is considered a failure. Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out). Any other failure in the Windows HTTP (WinHTTP) network stack. |
REPORT_STAGE2_FAILED |
6 |
0x40 |
64 |
Set whenever the stage 2 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200. Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out).
Any other failure in the Windows HTTP (WinHTTP) network stack.
|
REPORT_STAGE3_FAILED |
7 |
0x80 |
128 |
Set whenever the stage 3 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200 or 201 (object created). Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out). Any other failure in the Windows HTTP (WinHTTP) network stack.
|
REPORT_STAGE4_FAILED |
8 |
0x100 |
256 |
Set whenever the stage 4 exchange with Windows Error Reporting fails:
The HTTP exchange succeeded, but the server returned a response other than 200. Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out). Any other failure in the Windows HTTP (WinHTTP) network stack.
|
REPORT_STAGE5_FAILED |
9 |
0x200 |
512 |
Set whenever the stage 5 exchange with Windows Error Reporting fails:
HTTP status codes are not looked at for failure. Network connectivity was detected according to System Event Notification Services (SENS), but the actual exchange failed for whatever reason (for example, it could not resolve the DNS name, could not connect, or the request timed out). Any other failure in the Windows HTTP (WinHTTP) network stack.
|
REPORT_CABBING_FAILED |
10 |
0x400 |
1024 |
Set whenever cabbing fails. A .cab file is created by using the FCI Cabinet APIs. If the AppRecorder false discovery rate (FDR) plug-ins are active and deem that no .cab file should be generated (by setting an internal WER_INTERNAL_NO_CAB report flag), then no .cab file will be generated, although this bit will not be set. |
INITIAL_CONSENT_DECLINED |
11 |
0x800 |
2048 |
Set whenever an initial consent dialog is shown and cancelled. For kernel-mode reports, setting the DontSendAdditionalData registry setting will automatically decline the initial consent dialog, and set this flag. A non-interactive report that is submitted with a consent status WerConsentDenied, will also automatically decline the initial consent, and set this flag. |
Additional Resources
Windows Error Reporting: http://technet.microsoft.com/en-us/library/cc754364.aspx
Microsoft Online Crash Analysis: http://oca.microsoft.com/en/dcp20.asp