Medium RiskWindows

WerFault.exeEXECUTABLE

WerFault.exe - Windows Error Reporting Analysis [2026]

WerFault.exe is the Windows Error Reporting process for crash handling. Can be abused for LSASS dumping, process injection, and may indicate exploitation attempts.

0viewsLast verified: Jan 18, 2025

Risk Summary

## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Medium | | Abuse Potential | High | | Prevalence | Universal | | Risk Score | 60/100 | WerFault.exe can be abused for credential dumping via crash handling and has been used in advanced attacks.

What is WerFault.exe?

WerFault.exe (Windows Error Reporting Fault) is the Windows component responsible for handling application crashes and reporting errors to Microsoft.

Key Characteristics

Attribute	Value
File Name	WerFault.exe
Developer	Microsoft Corporation
Digital Signature	Microsoft Windows
Service	Windows Error Reporting
Type	Error Handler

Technical Details

Property	Description
Process Type	User Application
Parent Process	Crashing application or svchost
Purpose	Crash handling and reporting
Memory Access	Full access to crashed process

WerFault has special permissions to access crashed process memory for dump creation.

Normal Behavior

Legitimate Characteristics

Process: WerFault.exe
Parent: Crashing process or svchost.exe
Location: C:\Windows\System32\WerFault.exe
Arguments: -p <PID> -s <flags>

Expected Characteristics

Aspect	Expected Behavior
Trigger	Application crash
Location	C:\Windows\System32\
Arguments	Process ID of crashed app
Duration	Brief (during crash handling)
Instances	One per crash

Normal Arguments

Argument	Purpose
-p	Process ID
-s	Flags
-u	User mode
-e	Event handle

C:\Windows\System32\WerFault.exeC:\Windows\SysWOW64\WerFault.exe

Suspicious Indicators

Red Flags

Indicator	Concern Level	Description
Targeting lsass.exe	Critical	Credential dumping
Manual execution	High	Not from crash
Wrong location	Critical	Not in System32
Repeated crashes	Medium	Potential exploitation
Memory dumps created	Medium	May contain credentials

LSASS Dump Abuse

Credential Dumping Pattern:
- WerFault.exe -p <lsass_pid>
- Creates memory dump of LSASS
- Attacker extracts credentials
- Legitimate-looking activity

Attack Indicators

Pattern	Concern
WerFault → lsass	Credential dumping
Manual invocation	Intentional abuse
Dump file creation	Evidence extraction

Abuse Techniques

LSASS Memory Dump

Credential Dumping via WerFault:
1. Attacker causes LSASS to "crash"
2. Or manually invokes WerFault for LSASS
3. WerFault creates memory dump
4. Dump contains credential material
5. Extract with Mimikatz offline

Silent Crash Reporting

# Abuse WerFault for memory dump
# WerFault has special privileges to read process memory
WerFault.exe -p <lsass_pid> -u -s

Defense Evasion

Technique	Implementation
Legitimate binary	Uses signed Microsoft tool
Normal behavior	Looks like crash handling
Memory access	Built-in capability
EDR bypass	Often whitelisted

Exploitation Detection

Exploitation may trigger WerFault:
- Heap corruption exploits
- Buffer overflow attempts
- Use-after-free attacks
- Crash as exploitation side-effect

Detection Guidance

Sysmon Configuration

<RuleGroup name="WerFault Monitoring" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Image condition="end with">WerFault.exe</Image>
  </ProcessCreate>
  <ProcessAccess onmatch="include">
    <SourceImage condition="end with">WerFault.exe</SourceImage>
    <TargetImage condition="end with">lsass.exe</TargetImage>
  </ProcessAccess>
</RuleGroup>

Sigma Rule

title: WerFault Accessing LSASS
status: stable
logsource:
  product: windows
  category: process_access
detection:
  selection:
    SourceImage|endswith: '\WerFault.exe'
    TargetImage|endswith: '\lsass.exe'
  condition: selection
  falsepositives:
    - Legitimate LSASS crash (rare)
  level: critical

KQL Query

// WerFault accessing LSASS
DeviceProcessEvents
| where FileName =~ "WerFault.exe"
| where ProcessCommandLine contains "-p"
| join kind=leftouter (
    DeviceProcessEvents
    | where FileName =~ "lsass.exe"
    | project LsassPID = ProcessId
) on $left.ProcessCommandLine contains $right.LsassPID
| project Timestamp, DeviceName, ProcessCommandLine

// WerFault creating dump files
DeviceFileEvents
| where InitiatingProcessFileName =~ "WerFault.exe"
| where FileName endswith ".dmp"
| project Timestamp, DeviceName, FileName, FolderPath

Remediation Steps

Dump File Cleanup

# Find WER dump files
Get-ChildItem -Path "$env:LOCALAPPDATA\CrashDumps" -Filter "*.dmp"
Get-ChildItem -Path "C:\ProgramData\Microsoft\Windows\WER" -Recurse -Filter "*.dmp"

# Remove sensitive dumps
# After investigation, securely delete

Restrict Dump Creation

# Disable user-mode dumps
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps"
Set-ItemProperty -Path $regPath -Name DumpType -Value 0

# Or disable WER entirely (not recommended)
Set-Service -Name WerSvc -StartupType Disabled

Monitoring

Control	Implementation
LSASS protection	Enable Credential Guard
Dump monitoring	Alert on .dmp creation
WerFault audit	Log all invocations

T1003.001 - LSASS Memory T1036 - Masquerading

WerFault.exe - Windows Error Reporting Analysis [2026]

Risk Summary

Overview

What is WerFault.exe?

Key Characteristics

Technical Details

Normal Behavior

Normal Behavior

Legitimate Characteristics

Expected Characteristics

Normal Arguments

Common Locations

Suspicious Indicators

Suspicious Indicators

Red Flags

LSASS Dump Abuse

Attack Indicators

Abuse Techniques

Abuse Techniques

LSASS Memory Dump

Silent Crash Reporting

Defense Evasion

Exploitation Detection

Detection Guidance

Detection Guidance

Sysmon Configuration

Sigma Rule

KQL Query

Remediation Steps

Remediation Steps

Dump File Cleanup

Restrict Dump Creation

Monitoring

Investigation Checklist

Investigation Checklist

Process Analysis

Dump File Check

Exploitation Check

Timeline

MITRE ATT&CK Techniques