Windows Error Reporting (WER) fails to launch for a Windows service with a restricted per-service SID (SERVICE_SID_TYPE_RESTRICTED) RRS feed

  • Question

  • I have developed a Windows service that runs as LOCAL SERVICE with a restricted per-service SID. I also want to enable Windows Error Reporting on this service, to be able to diagnose crashes in production. However, when I try to crash the service, error reporting (more specifically, WerFault.exe) will not launch when the service is configured to run with a restricted per-service token. Changing the per-service SID to unrestricted results in error reporting working as expected again.

    I have compared Process Monitor dumps of the two cases and come to this:

    • My service crashes (on purpose).
    • The Windows Error Reporting service (WerSvc, on Windows 8.1) starts.
    • WerSvc checks a few registry flags under HKLM\Software\Microsoft\Windows\Windows Error Reporting.
    • Unrestricted SID: WerSvc calls CreateProcessAsUser() to launch WerFault.exe, which succeeds. The Application log will have an event from Windows Error Reporting.
    • Restricted SID: WerSvc calls CreateProcess() to launch WerFault.exe, which apparently fails. Nothing is logged by Windows Error Reporting.

    Is it necessary to do any extra configuration to enable WER for a service that runs with a restricted token, or is this a general limitation? There are a few restricted built-in services, but I don't know yet if error reporting works for them or not. I would be surprised if it didn't.

    Any help is appreciated.

    / David

    Monday, August 4, 2014 4:27 PM