The API I want to talk about today is called WerReportCreate. It takes a few arguments, but the most interesting is the first one, which is the Event Name.

Looking at Windows OS binaries, we can see this API being utilized by a number of native executables and libraries, and each invocation uses unique string for the event name:

• FaultTolerantHeap – AcLayers.dll
• AppxDeploymentFailureBlue – AppXDeploymentServer.dll
• CertPinning – cryptui.dll
• D3DDRED2 – D3D12Core.dll
• DMRCDeviceMetadataPackageFailure – DeviceMetadataRetrievalClient.dll
• DispBrokerTimeoutEvent – DispBroker.dll
• WWAJSE – EdgeContent.dll
• WindowsBlackScreenDiagnosticsV1 – explorer.exe
• ShellBrowserCancel – ExplorerFrame.dll
• ShellViewReentered – ExplorerFrame.dll
• FaultTolerantHeap – fthsvc.dll
• GDIObjectLeak – gdi32full.dll
• CompatEntityAnalysis_1 – invagent.dll
• ScriptedDiagFailure – msdt.exe
• WindowsNonFatalSuspectedDeadlock – netprofmsvc.dll
• CommsNonFatalSuspectedDeadlock – PhoneProviders.dll
• CommsNonFatalSuspectedDeadlock – PhoneService.dll
• HamLkd – PsmServiceExtHost.dll
• RADAR_PRE_LEAK_32 – radarrs.dll
• RADAR_LEAK_64 – rdrleakdiag.exe
• MemDiagV1 – RelPost.exe
• StartupRepairOnline – RelPost.exe
• WindowsBackupFailure – sdclt.exe
• WindowsBackupFailure – sdengin2.dll
• ServiceHang – services.exe
• SystemRestore – srcore.dll
• ShellThumbnailExtractionTimeout – thumbcache.dll
• ShellThumbnailExtractionTimeout – ThumbnailExtractionHost.exe
• UpdateAgentDiag – UpdateAgent.dll
• Windows Server Backup Error – wbengine.exe
• AppHangB1 – WerFault.exe
• BlueScreen – WerFault.exe
• LiveKernelEvent – WerFault.exe
• Temp – werui.dll
• WUDFUnhandledException – WUDFPlatform.dll