windows_crashes

Extracted information from Windows crash logs (Minidumps).

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: windows_crashes

  • Windows

Table schema

Name Type Description
datetime TEXT Timestamp (log format) of the crash
module TEXT Path of the crashed module within the process
path TEXT Path of the executable file for the crashed process
pid BIGINT Process ID of the crashed process
tid BIGINT Thread ID of the crashed thread
version TEXT File version info of the crashed process
process_uptime BIGINT Uptime of the process in seconds
stack_trace TEXT Multiple stack frames from the stack trace
exception_code TEXT The Windows exception code
exception_message TEXT The NTSTATUS error message associated with the exception code
exception_address TEXT Address (in hex) where the exception occurred
registers TEXT The values of the system registers
command_line TEXT Command-line string passed to the crashed process
current_directory TEXT Current working directory of the crashed process
username TEXT Username of the user who ran the crashed process
machine_name TEXT Name of the machine where the crash happened
major_version INTEGER Windows major version of the machine
minor_version INTEGER Windows minor version of the machine
build_number INTEGER Windows build number of the crashing machine
type TEXT Type of crash log
crash_path TEXT Path of the log file

Query examples

select * from windows_crashes
select * from windows_crashes where module like '%electron.exe%'
select * from windows_crashes where datetime < '2016-10-14'
select * from windows_crashes where registers like '%rax=0000000000000004%'
select * from windows_crashes where stack_trace like '%vlc%'