Process

unknown

werfault.exe

WerFault.exe is the Windows Error Reporting process, the program Windows starts when an application crashes or hangs to collect diagnostic data and offer to report it. It appears briefly and often. Attackers exploit the fact that it is trusted and ever-present, using it as cover for injection and as a mechanism to dump process memory.

CategorySystemTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

WerFault.exe runs Windows Error Reporting (WER). When a process faults, Windows launches WerFault.exe to gather a crash report, which can include a memory dump of the faulting process, and to surface the error to the user. Its parent is usually the WER service inside svchost.exe or the faulting application, and it runs from C:\Windows\System32\WerFault.exe (a hardened variant, WerFaultSecure.exe, exists for protected processes).

Legitimately, WerFault appears whenever something crashes or hangs, so short-lived instances are routine and not a concern on their own. A WerFault that lingers, spawns other programs, or reaches the network is out of character.

Security notes

WerFault.exe is attractive to attackers because it is signed, expected, and easy to overlook. It is a common injection target (T1055): code placed inside a WerFault process inherits a trusted identity and blends into the normal churn of crash handling, so unusual loaded modules or network activity from WerFault is worth examining.

The same crash-dump machinery is also a credential-access route (T1003.001). Techniques that force or hijack WER, for example the "silent process exit" mechanism, can make the system produce a full memory dump of lsass.exe through WerFault, handing over credentials without a recognizable dumping tool. A WerFault tied to an lsass dump file, or one that spawns a process, is the case to run down.

Its trusted name also makes it an impersonation target (T1036.005), so a WerFault.exe outside System32 is suspect on its face.

Anomaly signals5
  • Image path other than C:\Windows\System32\WerFault.exehigh
  • WerFault spawning child processes such as cmd.exe or powershell.exehigh
  • Outbound connections to hosts outside Microsoft's reporting infrastructurehigh
  • A memory dump of lsass.exe written around the time it runshigh
  • A long-running WerFault with no corresponding application crashmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof werfault.exe?
Edit this page on GitHub