wer-file
Parses Report.wer files written by the Windows Error Reporting (WER) service to retrieve crash reports. Converts application crash information, exception data, operating system information, and more into structured fields for output.
Command properties
| Property | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file that contains the WER file. Use this when querying a WER file directly inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries (default:
utf-8).
Target
FILE_PATH- Path to the Report.wer file to query. You can use a wildcard (
*) to specify multiple files. WER files are typically located in theC:\ProgramData\Microsoft\Windows\WER\ReportArchivedirectory.
Output fields
WER file key-value pairs are converted from CamelCase to snake_case for use as field names. The main output fields are as follows:
| Field | Type | Description |
|---|---|---|
version | string | WER file format version |
event_type | string | Event type (e.g., APPCRASH) |
event_time | string | Event occurrence time. Value in FILETIME format |
consent | string | Whether the error report was consented for submission |
consent_key | string | Error report consent key (e.g., APPCRASH) |
app_name | string | Application name |
app_path | string | Application file path |
app_session_guid | string | Session GUID |
ns_app_name | string | Namespace application name (e.g., WinSCP.exe) |
ns_group | string | Namespace group (e.g., windows8) |
ns_partner | string | Namespace partner (e.g., windows) |
original_filename | string | Original file name |
application_identity | string | Application hash |
target_app_id | string | Target application identifier |
target_app_ver | string | Target application version |
boot_id | string | Boot identifier |
report_identifier | string | Report GUID identifier |
report_status | string | Report status |
report_type | string | Report type |
friendly_event_name | string | Human-readable event name (e.g., stopped working) |
is_fatal | string | Whether the error is fatal |
upload_time | string | Upload time. Value in FILETIME format |
metadata_hash | string | Metadata hash |
response_bucket_id | string | Response bucket identifier |
response_bucket_table | string | Response bucket table |
response_legacy_bucket_id | string | Response legacy bucket identifier |
responsetype | string | Response type |
integrator_report_identifier | string | Integrator report identifier |
ui | string | UI items. A string combining multiple items with newlines (\n) |
sigs | map | Exception information including application version, exception code, and exception offset |
dynamic_sigs | map | Dynamic exception information |
states | map | List of state values |
os_infos | map | Operating system information |
loaded_modules | array | List of loaded DLL file paths |
Error codes
Parsing errors
N/A
Runtime errors
| Error code | Message | Description | Post-processing action |
|---|---|---|---|
| - | cannot load Report.wer file | The WER file cannot be read | Stops query execution |
Description
The wer-file command reads the specified WER file with UTF-16LE encoding and parses key-value pairs. Each line in the file is formatted as key=value, and key names are automatically converted from CamelCase to snake_case.
Array-format keys (Sig[n], DynamicSig[n], State[n], OsInfo[n]) are parsed as name-value pairs and assigned to the sigs, dynamic_sigs, states, and os_infos map fields respectively. Values of LoadedModule[n] keys are collected into the loaded_modules array field. Values of UI[n] keys are joined with newline characters and assigned to the ui string field.
If the version field is null, the file is considered an invalid WER file and no record is output.
To query a WER file inside a ZIP archive, specify the ZIP file path in the zippath option and the WER file path within the ZIP as the target.
Examples
-
Retrieve a WER file
wer-file /opt/logpresso/evidence/Report.werRetrieves the crash report from the WER file at the specified path.
-
Retrieve multiple WER files using a wildcard
wer-file /opt/logpresso/evidence/ReportArchive/*/Report.werRetrieves WER files from all subdirectories under ReportArchive.
-
Retrieve a WER file inside a ZIP archive
wer-file zippath=/opt/logpresso/evidence/artifacts.zip Report.werRetrieves the crash report from the
Report.werfile inside the ZIP archive. -
Filter for fatal errors only
wer-file /opt/logpresso/evidence/ReportArchive/*/Report.wer | search is_fatal == "1"Filters for crash reports recorded as fatal errors.