windows_crashes¶

Extracted information from Windows crash logs (Minidumps).

Platform support¶

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: windows_crashes

Windows

Table schema¶

Name	Type	Description
datetime	TEXT	Timestamp (log format) of the crash
module	TEXT	Path of the crashed module within the process
path	TEXT	Path of the executable file for the crashed process
pid	BIGINT	Process ID of the crashed process
tid	BIGINT	Thread ID of the crashed thread
version	TEXT	File version info of the crashed process
process_uptime	BIGINT	Uptime of the process in seconds
stack_trace	TEXT	Multiple stack frames from the stack trace
exception_code	TEXT	The Windows exception code
exception_message	TEXT	The NTSTATUS error message associated with the exception code
exception_address	TEXT	Address (in hex) where the exception occurred
registers	TEXT	The values of the system registers
command_line	TEXT	Command-line string passed to the crashed process
current_directory	TEXT	Current working directory of the crashed process
username	TEXT	Username of the user who ran the crashed process
machine_name	TEXT	Name of the machine where the crash happened
major_version	INTEGER	Windows major version of the machine
minor_version	INTEGER	Windows minor version of the machine
build_number	INTEGER	Windows build number of the crashing machine
type	TEXT	Type of crash log
crash_path	TEXT	Path of the log file

Query examples¶

select * from windows_crashes

select * from windows_crashes where module like '%electron.exe%'

select * from windows_crashes where datetime < '2016-10-14'

select * from windows_crashes where registers like '%rax=0000000000000004%'

select * from windows_crashes where stack_trace like '%vlc%'