How to activate and configure Windows Error Reporting (WER) step by step

If you manage Windows computers on a daily basis, sooner or later you'll have to deal with Windows Error Reporting (WER)Sometimes it's an indispensable ally for diagnosing crashes and strange errors, and other times it becomes a disk space hog or a continuous source of events when the server has no internet connection.

In this guide you will see how activate, deactivate and fine-tune in detail WER in different versions of Windows, how to control the memory dumps (HDMP/MDMP), what network addresses it uses, how to validate it via the Registry, and even how to manage it with PowerShell and batch scripts. All explained in Spanish (Spain), with practical examples and no loose ends.

What is Windows Error Reporting (WER) and what is it used for?

WER is a platform for collecting and submitting errors Integrated into Windows, this feature activates when an application crashes, the browser stops responding, a service fails, or serious system errors occur (such as kernel crashes). Sometimes these failures are related to errors with untested applications that require specific steps for their diagnosis.

When that happens, the system can generate reports and memory dumps These reports contain information about the process, loaded modules, memory usage, and other technical data. This information can be sent to Microsoft to try to find known solutions or for the product team to improve the affected system and applications.

In addition to online reports, WER can be configured to save user-mode memory dumps locallyThis is very useful when you have to analyze crashes of critical applications, servers without internet access, or environments where data privacy is key.

In many organizations, a decision is made about whether it is appropriate. enable WER, restrict it, or disable it completely due to security policy, internet access, or the volume of errors generated on servers.

Enable Windows Error Reporting (WER) using group policies

In domain environments, the most convenient thing is Control WER via GPO to ensure consistent configuration across all computers. From the Group Policy Management Editor (gpmc.mscYou can enable or disable WER and adjust what is sent.

First, you need to make sure there are no policies blocking it. To do this, navigate to the appropriate path in the computer's settings and Review the related policies with the deactivation of error reporting.

In the directive tree, access Computer Configuration > Administrative Templates > System > Internet Communications Management > Internet Communications ConfigurationWithin this section you will find the policy regarding disabling Windows error reporting.

Open the directive called Disable Windows Error Reporting and select the “Disabled” option. By doing so, you are indicating that you don't want WER to get blocked at the communications level. Apply the changes with “Apply” and “Accept”.

Next, in the same Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Error ReportingThere you will find the policy Disable Windows Error Reporting, which directly controls whether the service is operational.

Open that policy and reselect the "Disabled" option so that WER remains formally enabled in the systemAgain, confirm with “Apply” and “Accept” so that the configuration is replicated to the computers in the OU to which the GPO has been linked.

Configure the diagnostic data level in Windows

WER's behavior is closely linked to the configuration of diagnostic and telemetry data from Windows. Depending on the configured level, you can send anything from minimal data to additional information including more detailed dumps and logs.

To adjust this behavior, the following are used again: data collection branches and preliminary versions in group directives, with slight differences between Windows 11 and Windows 10.

Configure diagnostic data in Windows 11

On computers running Windows 11, open the Group Policy Editor and go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview BuildsHere you will find several options to control what type of information is collected and sent.

Locate the directive Allow diagnostic data and open it. Check the “Enabled” option and, in the Options dropdown menu, select Send optional diagnostic dataThis level allows WER and other components to collect more technical details, which is very useful in advanced support and troubleshooting environments.

Confirm with “Apply” and “Accept,” and then look for the policy. Configure the user interface settings for diagnostic dataThis directive is used to determine what the end user sees in the privacy interface.

Activate this policy with “Enabled” and choose the option from the dropdown menu. Disable diagnostic data sharing settings. Thus, Users will not be able to modify on their own. The diagnostic level you have defined at the corporate level. Reapply and accept the changes to finalize the policy.

Configure diagnostic data in Windows 10

In Windows 10, the settings path is similar. You need to go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview BuildsWithin that section is a fundamental policy called Allow telemetry.

Open the “Allow telemetry” policy and set its status to “EnabledThe Options box offers a list of levels that varies slightly depending on the version of Windows 10 installed.

For systems with Windows 10 version 1903 or laterThe value corresponding to the most detailed level is “Optional”. However, for versions Windows 10 1809 or earlierThe highest level is called "Complete". Choose the appropriate option based on the system build you are managing.

Save the changes by clicking "Apply" and "OK". From here, and especially for versions 1803 and higher, you will be able to refine further what the user sees in the telemetry interface.

Look for politics next. Configure the telemetry user interface settingsEnable it and select the option Disable telemetry participation settings in the Options dropdown menu. That way You block the possibility of the user changing the telemetry From the Windows graphical settings. Again, apply and accept to close the policy window.

Network connection points used by WER and diagnostic data

When WER and diagnostic components are active, Windows can connect to a series of Microsoft endpoints to send reports and data dumps. On restricted networks, perimeter firewalls, or servers without internet access, knowing these addresses is essential.

WER traffic usually passes through the TCP port 443 Using HTTPS with SSL/TLS encryption, and with certificate anchoring techniques to ensure you're actually connecting to Microsoft servers. If this traffic is blocked, you'll see recurring connection attempts and even related events in the viewer.

Most common connection points which WER can access:

• watson.microsoft.com for virtually all versions of Windows.
• watson.telemetry.microsoft.com Starting with Windows 10 version 1803.
• Different Azure Blob Storage hosts such as umwatsonc.events.data.microsoft.com or addresses of the type ceuswatcab01.blob.core.windows.net, eaus2watcab01.blob.core.windows.net o weus2watcab02.blob.core.windows.net, used in more modern versions such as Windows 10 1809 and later.

If you must look for a allow only certain domains in the firewall For WER to function correctly, you must include this list of hostnames. In isolated scenarios (for example, servers without internet access), it is common practice to disable or strictly limit sending to prevent the system from repeatedly connecting to these endpoints.

Limit the type of additional data that is sent to Microsoft

Even if WER is enabled and diagnostic data is allowed in optional mode, you may want to control what type of memory dumps are shared with Microsoft for reasons of confidentiality or regulatory compliance.

The policies described in the previous sections may cause WER to only refer kernel minidumps and lightweight user-mode dumpsHowever, if you have opted for the optional data level, you can further adjust these limits using additional directives.

In Windows 11 and Windows 10 from version 1909 onwards, go back to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview BuildsIn that section you will find specific policies to limit the types of dumps.

Open the directive Limit memory dump collection and set it to "Enabled". This way, Only dumps permitted by policy will be collectedAvoid excessively large screenshots or those with too much sensitive information. Apply and accept the settings.

Next, look for the directive Limit collection of diagnostic recordsEnable it to also restrict the volume and type of logs included in the associated telemetry. After selecting “Enabled”, click “Apply” and “OK” to permanently save the changes.

Verify the correct configuration using the Registry

Once you have deployed the GPOs that control WER and diagnostic data, it is recommended Validate on a test machine that the registration keys have been applied Just as you expect. To do this you can use regedit.exe in a team affected by politics.

Firstly, check the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollectionThis should reflect the values ​​you have defined for telemetry and collection restrictions.

Some typical values The following usually appear in this key:

Registry Key Name	Expected data
AllowTelemetry	0 x 00000003 for optional/full level
DisableTelemetryOptInSettingsUx	0 x 00000001 to block user changes
LimitDiagnosticLogCollection	0 x 00000001 if you have limited diagnostic logs
LimitDumpCollection	0 x 00000001 when you restrict memory dumps

Then check the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReportingThere is usually a value here. DoReport configured to 0 x 00000001This indicates that error reporting is permitted according to corporate policy.

Another key point is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error ReportingIn this location, you'll be particularly interested in the values Disabled y DontSendAdditionalData, which determine whether WER is turned off or whether it can send additional data.

Registry Key Name	Expected data
Disabled	0 x 00000000 to keep WER enabled
DontSendAdditionalData	0 x 00000001 to block the sending of extra data

Finally, on the route HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent There is an important value called DefaultConsentWith a data set as 0 x 00000004The system adjusts the default behavior regarding consent for sending reports.

Activate and deactivate WER using PowerShell commands

In addition to GPOs and the Registry, Windows incorporates Specific cmdlets for handling WER from PowerShell, which is very convenient when you want to operate on isolated servers or automate tasks in scripts.

The main cmdlet to enable the functionality is Enable-WindowsErrorReportingWithout additional parameters, its syntax is very simple:

Enable-WindowsErrorReporting

When you run this command in an elevated PowerShell console, the system Enable Windows Error Reporting on that computerInternally, it adjusts the necessary values ​​so that error reports are regenerated and sent according to the defined telemetry configuration.

This cmdlet returns a result of type BooleanIf the operation is completed successfully, the return value will be $TrueOtherwise, you will get $FalseThis allows you to integrate a simple check into your deployment or maintenance scripts.

Example of direct use:

PS C:\> Enable-WindowsErrorReporting

To check the current status of WER you can use the cmdlet Get-WindowsErrorReportingwhich will tell you whether it's enabled or not. And if you want to disable it later, you can use the accompanying cmdlet. Disable-WindowsErrorReportingwhich turns off the feature and prevents further crash reports from being sent to Microsoft from that computer.

Activate or deactivate WER using remote PowerShell and Batch scripts

In remote management solutions such as certain MDM or EMM platforms, it is common to allow custom scripts to enable or disable WER in bulk. They are usually based on modifying registry keys or invoking the cmdlets indicated in the previous sections.

Un script PowerShell can, for example, read the current status of the error reporting service and write to the action history whether it is "Enabled" or "Disabled" after execution. When the script runs successfully, the management console typically displays “True” as a result to indicate that the operation went well.

In the case of batch scripts, the logic is usually similar but directly editing the key HKLM\SOFTWARE\Microsoft\Windows\Windows Error ReportingA typical command to enable WER will consist of creating or modifying the value Disabled assigning the data 0thus allowing the system to collect and send reports.

Similarly, to disable WER using a .bat file, the value is modified Disabled a 1blocking the collection and transmission of errors to Microsoft servers. If all goes well, these actions usually log the message “The operation completed successfully” in the remote tool history.

Event Viewer population and servers without internet access

In some environments, especially in isolated servers or servers without external connectivityWER can end up filling the Event Viewer with repetitive messages indicating failed connection attempts or report submissions.

This behavior is due to the service attempting to contact the Microsoft endpoints described above, but since the outbound connection is blocked, Retry periodicallygenerating more events and, sometimes, some noise in the event log.

For these situations, you can choose to disable WER at the policy level, use Registry keys to mark it as disabled, or restrict additional data attempts through a combination of values ​​such as Disabled y DontSendAdditionalDataAnother option is to keep the report active but local dumps only, without outgoing telemetry.

HDMP and MDMP file management and disk space consumption

Something that often goes unnoticed is the disk space that HDMP and MDMP files can occupy generated by WER when many errors occur in a short time, for example on an application server such as SharePoint.

The files HDMP They usually contain a complete dump with a lot of information about the process, while the MDMP (Minidumps) are compressed dumps containing a subset of data. Both are stored in different locations depending on the Windows version, and can bring the system disk to the brink of collapse if left unchecked.

In older systems like Windows Server 2003 or Windows XP, the dumps are often saved in the folder C:\WINDOWS\pchealth\ERRORREP\UserDumpsIn more recent versions such as Windows 7 In Windows Server 2008, reports are typically sent to directories such as:

• C:\ProgramData\Microsoft\Windows\WER\ReportArchive
• C:\ProgramData\Microsoft\Windows\WER\ReportQueue
• C:\Users\UserName\AppData\Local\Microsoft\Windows\WER\ReportArchive
• C:\Users\UserName\AppData\Local\Microsoft\Windows\WER\ReportQueue

In these directories you will find files with names like w3wp.exe{date}.mdmp o w3wp.exe{date}.hdmpThese are associated with the failed process (for example, the IIS worker process on SharePoint servers). If the dumps are generated by library failures, you can review troubleshooting guides. DirectX and DLL errors related.

If you notice that these dumps are growing uncontrollably, you can temporarily disable WERClean up the folders or properly configure the dump collection limits (DumpCount, DumpType, etc.) so that the system self-regulates and does not leave the disk without free space.

Disable WER in older versions of Windows (XP/2003)

In systems such as Windows 2003 or Windows XPError reporting was partly managed through the system properties panel. It was possible to disable collection globally or enable it only for specific applications.

The typical procedure involved right-clicking on "My Computer," going to "Properties," entering the "Advanced" tab, and clicking on the "Error Reporting" option. From there, it was possible to completely disable the report or configure which programs should report and which should not.

Although these versions are no longer supported, many legacy environments are still present, so it's important to know that WER can be managed from that interface and from folder paths like UserDumps It is still useful for cleaning and maintenance tasks.

Configuring WER via Registry in Windows 7, Windows 8, and Windows Server 2008

In more modern versions such as Windows 7 and Windows Server 2008In addition to the graphical options, you can control WER from the Registry EditorThe base key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting.

To disable error reporting completely, you usually create or modify the value Disabled of type DWORD and put it to 1. Thus, The service stops generating and sending reportsIf you want to reactivate it, simply set the value to 0 or delete the entry.

Regarding the graphical aspect, the system also allowed certain adjustments from “System Properties” > “Advanced Options” > “Performance” > “Settings” and, for example, reviewing options related to Data Execution Prevention (DEP)Although it's not exactly the same as WER, it relates to how Windows protects against and reacts to certain failures.

Enable detailed logging of application crashes (example with explorer.exe)

Sometimes, to diagnose why a particular application is crashing, it is advisable force the generation of detailed local dumpsA classic example is the process explorer.exewhich, when it gets stuck, leaves the user with a frozen desktop; as an alternative to mitigate the impact you can Restart File Explorer while you prepare the capture.

This can be achieved by creating a .reg file that adds several keys to the Registry. For example, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\Explorer.exe Parameters can be defined such as DumpFolder (for example, “C:\\WER Dumps”) and DumpType with a value 2 to indicate a complete dump.

Additionally, in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Values ​​can be configured such as Global Flag y PageHeapFlags to activate advanced debugging techniques that force WER to generate comprehensive information in case of a crash.

After importing that .reg file and once the incident occurred, the error reporting service will create dumps in the configured folder, for example C:\WER Dumpswhich can later be reviewed with dump analysis tools such as WinDbg or simpler utilities.

Configure full user-mode dumps with WER (LocalDumps)

From Windows Server 2008 and Windows Vista SP1 The possibility was introduced that WER would save full user-mode local dumps when an application crashes. This feature is not enabled by default and requires administrator privileges to configure.

The configuration is done in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumpsHere you can define various values ​​that control where the dumps are stored, how many are saved, and what type they are.

The most important Registry values are:

Price	Description	Type	Default value
DumpFolder	Path where the dumps are saved. If this is changed, make sure the folder has proper permissions so that the blocked process can write there.	REG_EXPAND_SZ	%LOCALAPPDATA%\CrashDumps
DumpCount	Maximum number of dump files stored in the folder. When this limit is exceeded, the oldest dump is overwritten for a new one.	REG_DWORD	10
DumpType	Indicates the dump type: 0 (custom), 1 (minidump), or 2 (full). The value determines how much information is included in the File.	REG_DWORD	1
CustomDumpFlags	It is used only if DumpType is 0. It is a bitwise combination of values ​​of MINIDUMP_TYPE to adjust which specific data is captured in the custom dump.	REG_DWORD	Usually 0x00000121 (which combines several flags such as MiniDumpWithDataSegs, MiniDumpWithUnloadedModules and MiniDumpWithProcessThreadData).

These parameters are considered a global configurationIf you want to fine-tune the behavior for a specific application, you can create a subkey with the exact name of the executable within LocalDumps, for example LocalDumps\MiAplicacion.exeand define your own values ​​for DumpFolder, DumpCount, etc.

When an application crashes, the system first checks the global settings and then applies any necessary configuration. application-specific adjustment If it exists. Once the dump is generated, the application can close normally or attempt to recover if it is prepared to do so.

An interesting detail is that These local dumps are managed independently. to the rest of the WER infrastructure. You can have local collection active even if WER is disabled at the report sending level or even if the user has canceled the report.

Tools and improvements for working with dumps in Windows 11

In the most recent versions such as Windows 11 Improvements have been added that facilitate the creation and analysis of dumps, both from the graphical interface and from specialized tools.

El Task Manager It includes an option to generate a active memory dump of any user-mode process or even kernel processes. Simply go to the "Processes" or "Details" tab, right-click on the process, and choose "Create active memory dump file."

Utility has also been enhanced ProcDump From Sysinternals, ProcDump now supports more triggers, such as thread creation and termination, certain performance counters, and frozen window detection. In Windows 11, ProcDump is capable of working with all trigger types introduced from Windows 8.1 onward.

In the field of debugging, tools such as WinDbg and CDB They allow the analysis of both minidumps and full dumps. They have been updated to better handle user-mode dumps, and can even Read dumps directly from CAB files or analyze multiple dump files at once, which is very useful when you have recurring incidents; you can also Diagnose errors with Dependency Walker to complement the analysis.

Using TSS to collect performance and network traces

In advanced support scenarios, Microsoft sometimes recommends using scripts such as TSS.ps1 to collect detailed information about the system, including performance data, configuration, and network traces associated with WER and other components.

The typical workflow involves downloading TSS to all affected nodes and extracting it to a standard folder such as C:\tssThen open a PowerShell window with administrator privileges in that same location.

From there, it is possible to launch different collection scenarios using commands of the type:

TSS.ps1 -SDP PERF,SETUP
TSS.ps1 -Scenario NET_WFP

When you run them, the script will ask you to accept the license terms (EULA) and, once you have given your consent, will automatically begin collecting the necessary dataIt may take a while depending on the volume of information and the system load.

At the end, the results are usually compressed into a ZIP file inside a folder like this: C:\MS_DATA\SDP_PERFSETUP\, which you can upload to a Microsoft support workspace to be analyzed by engineers.

Mastering Windows Error Reporting involves understanding how Group policies, telemetry, the Registry, local dumps, and analysis tools are all related.By properly adjusting these elements, you can ensure that your systems report only what is necessary, that servers don't run out of space due to HDMP/MDMP, that restricted networks don't suffer constant connection attempts, and at the same time, have the essential information to diagnose and resolve crashes and critical failures when they occur.