################################################################## # # # Written by: Ryan Waters # # # # Program: Get-Dump.ps1 # # Date: 2-06-2020 # # Purpose: To set registry keys to gather a WER Usermode Dump # # and be able to change from a custom, mini, or FULL # # Dumps for ease of use for customers and others. # # # # EULA: Code is free to use for all, and free to distribute # # I just ask that you leave the credit information and # # this EULA and Comment Section in tact and do not delete. # # # # Bitwise Values: (For reference) # # # # 0x00000000 - MiniDumpNormal # # 0x00000001 - MiniDumpWithDataSegs # # 0x00000002 - MiniDumpWithFullMemory # # 0x00000004 - MiniDumpWithHandleData # # 0x00000008 - MiniDumpFilterMemory # # 0x00000010 - MiniDumpScanMemory # # 0x00000020 - MiniDumpWithUnloadedModules # # 0x00000040 - MiniDumpWithIndirectlyReferenced # # 0x00000080 - MemoryMiniDumpFilterModulePaths # # 0x00000100 - MiniDumpWithProcessThreadData # # 0x00000200 - MiniDumpWithPrivateReadWriteMemory # # 0x00000400 - MiniDumpWithoutOptionalData # # 0x00000800 - MiniDumpWithFullMemoryInfo # # 0x00001000 - MiniDumpWithThreadInfo # # 0x00002000 - MiniDumpWithCodeSegs # # 0x00004000 - MiniDumpWithoutAuxiliaryState # # 0x00008000 - MiniDumpWithFullAuxiliaryState # # 0x00010000 - MiniDumpWithPrivateWriteCopyMemory # # 0x00020000 - MiniDumpIgnoreInaccessibleMemory # # 0x00040000 - MiniDumpWithTokenInformation # # # ################################################################## #Setting Values: $MDN = '0' $MDWDS = '1' $MDWFM = '2' $MDWHD = '4' $MDFM = '8' $MDSM = '10' $MDWUM = '20' $MDWIR = '40' $MMDFMP = '80' $MDWPTD = '100' $MDWPRWM = '200' $MDWOD = '400' $MDWFMI = '800' $MDWTI = '1000' $MDWCS = '2000' $MDWAS = '4000' $MDWFAS = '8000' $MDWPWCM = '10000' $MDIIM = '20000' $MDWTOI = '40000' $a = $MDN $b = $MDWDS $c = $MDWFM $d = $MDWHD $e = $MDFM $f = $MDSM $g = $MDWUM $h = $MDWIR $i = $MMDFMP $j = $MDWPTD $k = $MDWPRWM $l = $MDWOD $m = $MDWFMI $n = $MDWTI $o = $MDWCS $p = $MDWAS $q = $MDWFAS $r = $MDWPWCM $s = $MDIIM $t = $MDWTOI $0x = "0x" $array = @() Clear-host write-host "Setting up your machine to receive Usermode Dumps via WER." Start-sleep -s 3 New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpFolder" -Value "%LOCALAPPDATA%\CrashDumps" -PropertyType ExpandString -Force New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpCount" -Value "10" -PropertyType DWORD -Force clear-host write-host "What would you like to do?" write-host "(0) Disable Dumps and restore system to factory." write-host "(1) Enable System for Full Dumps." write-host "(2) Enable System for Mini Dumps." write-host "(3) Enable System for custom dump with options." $NCD = Read-Host "Enter a number option" If ($NCD -eq '3') { New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpType" -Value "0" -PropertyType DWORD -Force Do { clear-host write-host "Here are the optional custom dump to add to your custom dump parameters:" write-host "(1) Mini Dump Normal" write-host "(2) Mini Dump With Data Segs" write-host "(3) Mini Dump With Full Memory" write-host "(4) Mini Dump With Handle Data" write-host "(5) Mini Dump Filter Memory" write-host "(6) Mini Dump Scan Memory" write-host "(7) Mini Dump With Unloaded Modules" write-host "(8) Mini Dump With Indirectly Referenced" write-host "(9) Memory Mini Dump Filter Module Paths" write-host "(10) Mini Dump With Process Thread Data" write-host "(11) Mini Dump With Private Read Write Memory" write-host "(12) Mini Dump Without Optional Data" write-host "(13) Mini Dump With Full Memory Info" write-host "(14) Mini Dump With Thread Info" write-host "(15) Mini Dump With Code Segs" write-host "(16) Mini Dump Without Auxiliary State" write-host "(17) Mini Dump With Full Auxiliary State" write-host "(18) Mini Dump With Private Write Copy Memory" write-host "(19) Mini Dump Ignore Inaccessible Memory" write-host "(20) Mini Dump With Token Information" $Option = Read-Host "Enter one number value at a time and press enter. (Press 'q' when finished)" if($Option -eq '1') { $array += [int]$a } ElseIf($Option -eq '2') { $array += [int]$b } ElseIf($Option -eq '3') { $array += [int]$c } ElseIf($Option -eq '4') { $array += [int]$d } ElseIf($Option -eq '5') { $array += [int]$e } ElseIf($Option -eq '6') { $array += [int]$f } ElseIf($Option -eq '7') { $array += [int]$g } ElseIf($Option -eq '8') { $array += [int]$h } ElseIf($Option -eq '9') { $array += [int]$i } ElseIf($Option -eq '10') { $array += [int]$j } ElseIf($Option -eq '11') { $array += [int]$k } ElseIf($Option -eq '12') { $array += [int]$l } ElseIf($Option -eq '13') { $array += [int]$m } ElseIf($Option -eq '14') { $array += [int]$n } ElseIf($Option -eq '15') { $array += [int]$o } ElseIf($Option -eq '16') { $array += [int]$p } ElseIf($Option -eq '17') { $array += [int]$q } ElseIf($Option -eq '18') { $array += [int]$r } ElseIf($Option -eq '19') { $array += [int]$s } ElseIf($Option -eq '20') { $array += [int]$t } ElseIf($Option -eq 'q') { write-host "Closing application." Start-Sleep -s 2 } Else { write-host "Invalid Option, Try again." Start-sleep -s 2 } } While($Option -ne "q") $sum = $array -join '+' $SumArray = Invoke-Expression $sum $FinalSum = $0x + $SumArray New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "CustomDumpFlags" -Value "$FinalSum" -PropertyType DWORD -Force write-host " " write-host "Setting up the system for crash dumps requires a reboot" } ElseIf ($NCD -eq '0') { Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpCount" -Force -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpType" -Force -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpFolder" -Force -ErrorAction SilentlyContinue Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "CustomDumpFlags" -Force -ErrorAction SilentlyContinue write-host " " $reboot = read-host "Registry reset to factory settings and cleared. It is recommended to restart your machine, would you like to now?" if($reboot -eq "Yes" -or $reboot -eq "Y" -or $reboot -eq "yes" -or $reboot -eq "y") { shutdown -r } Else { write-host "Please restart the machine for settings to take effect at your convenience." } } ElseIf ($NCD -eq '1') { New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpType" -Value "2" -PropertyType DWORD -Force write-host "The computer has been set up to create a Full Sized Dump and will be located in %LOCALAPPDATA%\CrashDumps." write-host "The computer must also restart for settings to take effect. Would you like to now? (Y/n)" if($reboot -eq "Yes" -or $reboot -eq "Y" -or $reboot -eq "yes" -or $reboot -eq "y") { shutdown -r } Else { write-host "Please restart the machine for settings to take effect at your convenience." } } ElseIf ($NCD -eq '2') { New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" -Name "DumpType" -Value "1" -PropertyType DWORD -Force write-host "The computer has been set up to create a Mini Dump and will be located in %LOCALAPPDATA%\CrashDumps." write-host "The computer must also restart for settings to take effect. Would you like to now? (Y/n)" if($reboot -eq "Yes" -or $reboot -eq "Y" -or $reboot -eq "yes" -or $reboot -eq "y") { shutdown -r } Else { write-host "Please restart the machine for settings to take effect at your convenience." } } Else { write-host "You did not enter a valid option. Please re-run Get-Dump.ps1" start-sleep -s 5 }