Windows 7 - drwtsn32 and Windows Server 2008

Asked By KM.TOP

14-Apr-08 07:24 AM

drwtsn32.exe is not part of Windows Server 2008.
Does anybody know why?

Is it legal to copy (and install) drwtsn32.exe via an own setup?

Thx, KM.

14-Apr-08 10:39 PM

------=_NextPart_0001_74C8077C
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi KM,

Yes, the drwtsn32.exe is removed in Vista and Windows Server2008 since we
introduced a more reliable unhandled exception solution after Vista. Below
is the backgroup story:

Pre-Vista, when an unhandled exception is thrown, the user-mode exception
dispatcher will unwind the stack and find default unhandled exception
handler in the Kernel32 which calls CreateProcess to launch
drwtsn32.exe.(The real process may be more complicated. For example,
drwtsn32.exe is looked up from the Aedebug key in the registry). These are
all done in user-mode. However, if the user-mode stack is exhausted or
corrupted, the exception stack unwind may fail and we may be unable to call
CreateProcess to launch drwtsn32.exe. This will result the process silent
termination which is a bad experience to the end user.

After Vsita, we introduced more reliable achitecture to address the above
problem. Windows Vista moves error handling(CreateProcess code) out of the
context of the crashing process into to a new service, Windows Error
Reporting (WER). The exception handling and dispatching is purely done in
kernel-mode now. When the unhandled exception occurs, it is the kernel that
notifies the WER service(using LPC maybe) and WER is looking for a JIT
debugger in Aedebug registry key. Please refer to the "Enhanced Crash
Support" section in Mark's article below for details:
http://technet.microsoft.com/en-us/magazine/cc162458.aspx

Since the exception does not rely on the user-mode stack now, the process
termination will always be caught.

Ok, enough backgroud story now. Can you tell me why you need drwtsn32 in
Windows Server2008? Do you want to get crash dump for faulty application in
Windows Server2008? Actually, Windows Error Report tool of Vista SP1 and
Windows Server2008 also have the feature of crash dump collecting, see the
link below for details:
http://msdn2.microsoft.com/en-us/library/bb787181(VS.85).aspx

The other options for Vista and Windows Server2008 are Adplus.vbs and
DebugDiag etc..:
http://support.microsoft.com/default.aspx/kb/931673
http://blogs.technet.com/askperf/archive/2007/06/15/capturing-application-cr
ash-dumps.aspx

Finally, if you really want to use drwtsn32, you may manually set it up.
Please use this approach at your own risk since Microsoft officially does
not support this approach:
http://www.dumpanalysis.org/blog/index.php/2007/05/19/resurrecting-dr-watson
-on-vista/

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


------=_NextPart_0001_74C8077C
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi KM,
\par
\par Yes, the drwtsn32.exe is removed in Vista and Windows Server2008 since we introduced a more reliable unhandled exception solution after Vista. Below is the backgroup story:
\par
\par Pre-Vista, when an unhandled exception is thrown, the user-mode exception dispatcher will unwind the stack and find default unhandled exception handler in the Kernel32 which calls CreateProcess to launch drwtsn32.exe.(The real process may be more complicated. For example, drwtsn32.exe is looked up from the Aedebug key in the registry). These are all done in user-mode. However, if the user-mode stack is exhausted or corrupted, the exception stack unwind may fail and we may be unable to call CreateProcess to launch drwtsn32.exe. This will result the process silent termination which is a bad experience to the end user.
\par
\par After Vsita, we introduced more reliable achitecture to address the above problem. Windows Vista moves error handling(CreateProcess code) out of the context of the crashing process into to a new service, Windows Error Reporting (WER). The exception handling and dispatching is purely done in kernel-mode now. When the unhandled exception occurs, it is the kernel that notifies the WER service(using LPC maybe) and WER is looking for a JIT debugger in Aedebug registry key. Please refer to the "Enhanced Crash Support" section in Mark's article below for details:
\par "Inside the Windows Vista Kernel: Part 3"
\par http://technet.microsoft.com/en-us/magazine/cc162458.aspx
\par
\par Since the exception does not rely on the user-mode stack now, the process termination will always be caught.
\par
\par Ok, enough backgroud story now. Can you tell me why you need drwtsn32 in Windows Server2008? Do you want to get crash dump for faulty application in Windows Server2008? Actually, Windows Error Report tool of Vista SP1 and Windows Server2008 also have the feature of crash dump collecting, see the link below for details:
\par "Collecting User-Mode Dumps"
\par http://msdn2.microsoft.com/en-us/library/bb787181(VS.85).aspx
\par
\par The other options for Vista and Windows Server2008 are Adplus.vbs and DebugDiag etc..:
\par "How to create a user-mode process dump file in Windows Vista"
\par http://support.microsoft.com/default.aspx/kb/931673
\par "Capturing Application Crash Dumps"
\par http://blogs.technet.com/askperf/archive/2007/06/15/capturing-application-crash-dumps.aspx
\par
\par Finally, if you really want to use drwtsn32, you may manually set it up. Please use this approach at your own risk since Microsoft officially does not support this approach:
\par "Resurrecting Dr. Watson on Vista"
\par http://www.dumpanalysis.org/blog/index.php/2007/05/19/resurrecting-dr-watson-on-vista/
\par
\par Hope this helps.
\par
\par Best regards,
\par Jeffrey Tan
\par Microsoft Online Community Support
\par
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com.
\par
\par ==================================================
\par Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notifications.
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support
\par Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support
\par professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations
\par that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par ==================================================
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par }
------=_NextPart_0001_74C8077C--

22-Apr-08 12:47 AM

Hi Jeffrey,

Your description was very helpful.
We will check the WER and crash dump functionality in more detail.

We use a server application which is started by a service.
It starts applications, which may crash.
dr. watson was our favourite, as a crash can occur without popup.
The log and crash dump was then analyzed by us.

kind regards, KM.

22-Apr-08 01:49 AM

------=_NextPart_0001_99830EE7
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi KM,

Thanks for your confirmation.

Actually, if this problem only happens to one machine which you can install
software, the best option should be the adplus.vbs which is a wrapper over
the cdb debugger(using the same core as windbg).

adplus has the most detailed granularity control over the crash dump
generation without poping up the dialog. For example, you can specify what
excpetion you want to take crash dump; you want to take dump for first
chance for second chance exception. The KB below provides more details:
http://support.microsoft.com/kb/q286350/

If you need any further help, please feel free to feedback. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_99830EE7
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi KM,
\par
\par Thanks for your confirmation.
\par
\par Actually, if this problem only happens to one machine which you can install software, the best option should be the adplus.vbs which is a wrapper over the cdb debugger(using the same core as windbg).
\par
\par adplus has the most detailed granularity control over the crash dump generation without poping up the dialog. For example, you can specify what excpetion you want to take crash dump; you want to take dump for first chance for second chance exception. The KB below provides more details:
\par "How to use ADPlus to troubleshoot "hangs" and "crashes""
\par http://support.microsoft.com/kb/q286350/
\par
\par If you need any further help, please feel free to feedback. Thanks.
\par
\par Best regards,
\par Jeffrey Tan
\par Microsoft Online Community Support
\par =========================================
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com.
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_99830EE7--

24-Apr-08 04:59 AM

Hi Jeffrey,

Thank you for your explanation.

Our software runs on many computers.
Processes are started and stopped on demand.

I read the documentation.
adplus is not an option for us because:
1) It must be extra downloaded
2) it is not started automatically after a reboot (without login)
3) the processes must already run if I start adplus

Windows Error Reporting fits our needs.
But there arise some questions:
- can Windows Error Handling be defined via a system-wide policy?
- are the following registry values still functional in Windows 2008:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\
AutoReboot
CrashDumpEnabled
LogEvent
Overwrite
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode

kind regards, KM.

24-Apr-08 10:34 PM

------=_NextPart_0001_7C7BFD91
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi KM,

Thanks for your feedback.

Yes, you are right. Since adplus is a wrapper over the cdb debugger, it has
the nature/limitation of debuggers. It is best suitable for single
development machine. In your scenario, WER should be the best solution for
you.

Regarding the further questions, I have confirmed them with the WER team:
1. I assume by "Windows Error Handling" you mean Windows Error Reporting,
then yes it can be configured per machine. Using Group Policy you can set
the WER policy for the local machine or even multiple domain joined
computers (for a list of available settings, see administrative
templates/windows components/Windows Error Reporting in group policy
editor). All these settings are also documented here
http://msdn2.microsoft.com/en-us/library/bb513638.aspx
2. As far as we know, those settings are still functional. However they are
for configuring blue-screen behavior and default application error mode
respectively.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_7C7BFD91
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi KM,
\par
\par Thanks for your feedback.
\par
\par Yes, you are right. Since adplus is a wrapper over the cdb debugger, it has the nature/limitation of debuggers. It is best suitable for single development machine. In your scenario, WER should be the best solution for you.
\par
\par Regarding the further questions, I have confirmed them with the WER team:
\par 1. I assume by "Windows Error Handling" you mean Windows Error Reporting, then yes it can be configured per machine. Using Group Policy you can set the WER policy for the local machine or even multiple domain joined computers (for a list of available settings, see administrative templates/windows components/Windows Error Reporting in group policy editor). All these settings are also documented here http://msdn2.microsoft.com/en-us/library/bb513638.aspx
\par 2. As far as we know, those settings are still functional. However they are for configuring blue-screen behavior and default application error mode respectively.
\par
\par Hope this helps.
\par
\par Best regards,
\par Jeffrey Tan
\par Microsoft Online Community Support
\par =========================================
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com.
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_7C7BFD91--

28-Apr-08 11:26 PM

------=_NextPart_0001_91441AE8
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi KM,

Have you reviewed my last reply to you? Does it make sense to you? If you
still need any help or have any concern, please feel free to tell me,
thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_91441AE8
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi KM,
\par
\par Have you reviewed my last reply to you? Does it make sense to you? If you still need any help or have any concern, please feel free to tell me, thanks.
\par
\par Best regards,
\par Jeffrey Tan
\par Microsoft Online Community Support
\par =========================================
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com.
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_91441AE8--

29-Apr-08 08:18 AM

Hi Jeffrey,

Thank you for your clear and very detailed answers.
It was very useful and saved us time.

We have currently no further questions.

lg, KM.

29-Apr-08 09:57 PM

------=_NextPart_0001_9619E54C
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi KM,

Glad to see my reply can help you.

Ok, if you need further help, please feel free to post, I am glad to be any
help. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_9619E54C
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi KM,
\par
\par Glad to see my reply can help you.
\par
\par Ok, if you need further help, please feel free to post, I am glad to be any help. Thanks.
\par
\par Best regards,
\par Jeffrey Tan
\par Microsoft Online Community Support
\par =========================================
\par Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg@microsoft.com.
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_9619E54C--

01-May-08 02:56 PM

Jeffrey, were you indicating earlier in this thread that "DebugDiag" works on
Server 2008? I have not found confirmation of this yet. We use DebugDiag on
our Server 2003 instances and I am trying to determine if we need to look for
a new tool for doing hang and memory leak analysis, or if it can still be
used.

Thanks!