The Windows Process Journey — “wermgr.exe” (Windows Problem Reporting)

“wermgr.exe” is a PE binary located at “%windir%\system32\wermgr.exe”. On 64-bit systems there is also a 32-bit version of the binary located at “%windir%\SysWOW64\wermgr.exe”. This binary is one of the components of the “Windows Error Reporting” feature (https://medium.com/@boutnaru/the-windows-concept-journey-wer-windows-error-reporting-812316b8eb0a) of the operating system which interacts with the “Windows Error Reporting Service” (WerSvc). “wermgr.exe” is used to read/parse/copy/move/delete report files files (https://unit42.paloaltonetworks.com/tale-of-a-windows-error-reporting-zero-day-cve-2019-0863/).

Overall, when “wermgr.exe” is executed with the “-upload” argument the function “wermgr!DoCoreUpload” is called. This function lists all the subdirectories under the ReportQueue directory (“C:\ProgramData\Microsoft\Windows\WER\ReportQueue”) — as shown in the printscreen below. Its goal is to read the error reports and submit them to Microsoft (https://unit42.paloaltonetworks.com/tale-of-a-windows-error-reporting-zero-day-cve-2019-0863/).

Lastly, “wermgr.exe” is depended on “%windir%\system32\wer.dll” (Windows Error Reporting DLL) and in the case of the 32-bit version it is dependent on “%windir%\SysWOW64\wer.dll”. Also, the binary is digitally signed by Microsoft. When it is executed “wermgr.exe” can also access other subdirectories of “C:\ProgramData\Microsoft\Windows\WER” like “ReportArchive” and “Temp”.

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.