windows_crashes

Extracted information from Windows crash logs (Minidumps).

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: windows_crashes

  • Windows

Table schema

Name

Type

Description

datetime

TEXT

Timestamp (log format) of the crash

module

TEXT

Path of the crashed module within the process

path

TEXT

Path of the executable file for the crashed process

pid

BIGINT

Process ID of the crashed process

tid

BIGINT

Thread ID of the crashed thread

version

TEXT

File version info of the crashed process

process_uptime

BIGINT

Uptime of the process in seconds

stack_trace

TEXT

Multiple stack frames from the stack trace

exception_code

TEXT

The Windows exception code

exception_message

TEXT

The NTSTATUS error message associated with the exception code

exception_address

TEXT

Address (in hex) where the exception occurred

registers

TEXT

The values of the system registers

command_line

TEXT

Command-line string passed to the crashed process

current_directory

TEXT

Current working directory of the crashed process

username

TEXT

Username of the user who ran the crashed process

machine_name

TEXT

Name of the machine where the crash happened

major_version

INTEGER

Windows major version of the machine

minor_version

INTEGER

Windows minor version of the machine

build_number

INTEGER

Windows build number of the crashing machine

type

TEXT

Type of crash log

crash_path

TEXT

Path of the log file

Query examples

select * from windows_crashes
select * from windows_crashes where module like '%electron.exe%'
select * from windows_crashes where datetime < '2016-10-14'
select * from windows_crashes where registers like '%rax=0000000000000004%'
select * from windows_crashes where stack_trace like '%vlc%'