Completely disable running WerFault.exe upon application crash

I have a simple test scenario, where the application crashes, but I am not interested in obtaining/analyzing the crash dump, but also speed is a concern.
For this reason I have tried various ways to disable the Windows Error Reporting service, because it launches the following processes, causing serious downtime in the tests:

  • WerFault.exe – multiple processes are spawned
  • wermgr.exe

I have tried to disable WER using the following methods:

  • WER Settings: setting the Disabled key to 1 – both in the normal and the WOW6432Node hive
  • Group Policy Settings, Turn off Windows Error Reporting under Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings
  • Group Policy Settings, Disable Windows Error Reporting under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting
  • both stop and disable the Windows Error Reporting Service in services.msc

I have ran Process Monitor and set the appropriate filters (both process and action) to see only relevant information, and I can clearly see, that WerFault.exe is always ran, and is writing the following files:

  • C:\ProgramData\Microsoft\Windows\WER\Temp[PROCESS_NAME].tmp
  • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_[PROCESS_NAME]\Report.wer.tmp

The files are not there when I manually navigate there, so I have a hunch, that windows is still generating crash dump in the background to send to to MS, despite the machine being completely cut off from the internet.

Is it possible to somehow disable running these processes?

Answer

Found a solution:
Created a new key as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe
the added a new string value, named “Debugger” and gave it a nonexistent exe name.
This way the WerFault.exe is ran with an invalid debugger and will not start.

Helpful links:
https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/
https://github.com/tdebaets/wertweak

Attribution
Source : Link , Question Author : user2281752 , Answer Author : user2281752

Leave a Comment