Microsoft-Windows-WER-Diag
5 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1 | Possible disk corruption detected for executable image CorruptedFilePath, … | Operational |
| 2 | Possible heap corruption detected (exception code Name). | Operational |
| 3 | Possible crash in an unloaded dll detected. | Operational |
| 4 | Crash on launch is detected. | Operational |
| 5 | CFG violation is detected. | Operational |
Event ID 1 — Possible disk corruption detected for executable image CorruptedFilePath, causing application CrashedAppName to stop working with exception ExceptionCode, status code ExceptionStatusCode.
Description
Possible disk corruption detected for executable image CorruptedFilePath, causing application CrashedAppName to stop working with exception ExceptionCode, status code ExceptionStatusCode. Initiating further diagnostics.
Message #
Fields #
| Name | Description |
|---|---|
CorruptedFilePath UnicodeString | — |
CrashedAppName UnicodeString | — |
ExceptionCode UInt32 | — |
ExceptionStatusCode UInt32 | — |
Event ID 2 — Possible heap corruption detected (exception code Name).
Description
Possible heap corruption detected (exception code Name). Initiating further diagnostics.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
ExceptionCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WER-Diag",
"guid": "AD8AA069-A01B-40A0-BA40-948D1D8DEDC5",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9224497936761618432,
"time_created": "2026-03-09T01:01:32.206209+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 7856,
"thread_id": 2516
},
"channel": "Microsoft-Windows-WER-Diag/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "FTH_EXCEPTION_OF_INTEREST",
"ExceptionCode": 3221225477
},
"message": ""
}
Event ID 3 — Possible crash in an unloaded dll detected.
Event ID 4 — Crash on launch is detected.
Description
Crash on launch is detected. Initiating further diagnostics.
Message #
Fields #
| Name | Description |
|---|---|
Name | — |
ProcessId UInt32 | — |
ModuleName UnicodeString | — |
StartTime UInt64 | — |
CrashTimeFromStart UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WER-Diag",
"guid": "AD8AA069-A01B-40A0-BA40-948D1D8DEDC5",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9224497936761618432,
"time_created": "2026-03-13T22:05:01.557312+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 7740,
"thread_id": 1108
},
"channel": "Microsoft-Windows-WER-Diag/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "CRASH_ON_LAUNCH",
"ProcessId": 8748,
"ModuleName": "C:\\Windows\\System32\\Magnify.exe",
"StartTime": 134179130996217430,
"CrashTimeFromStart": 19353291
},
"message": ""
}
Event ID 5 — CFG violation is detected.
Description
CFG violation is detected.
Message #
Fields #
| Name | Description |
|---|---|
AppPath UnicodeString | — |
ProcessId UInt32 | — |
ProcessStartTime FILETIME | — |
Is64Bit Boolean | — |
CallReturnAddress Pointer | — |
CallReturnModName UnicodeString | — |
CallReturnModOffset UInt32 | — |
CallReturnInstructionBytesLength UInt32 | — |
CallReturnInstructionBytes Binary | — |
CallReturnBaseAddress Pointer | — |
CallReturnRegionSize Pointer | — |
CallReturnState UInt32 | — |
CallReturnProtect UInt32 | — |
CallReturnType UInt32 | — |
TargetAddress Pointer | — |
TargetModName UnicodeString | — |
TargetModOffset UInt32 | — |
TargetInstructionBytesLength UInt32 | — |
TargetInstructionBytes Binary | — |
TargetBaseAddress Pointer | — |
TargetRegionSize Pointer | — |
TargetState UInt32 | — |
TargetProtect UInt32 | — |
TargetType UInt32 | — |