tag:blogger.com,1999:blog-4080617372940068027.post3737382832746359664..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Exploring Windows Error ReportingCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4080617372940068027.post-12039256168953039552014-02-25T21:24:10.898-05:002014-02-25T21:24:10.898-05:00WER is not only located in %UserProfile% sub folde...WER is not only located in %UserProfile% sub folder, but 'ProgramData(All Users in XP) sub folder. It can also trace to event log. <br />ref. http://forensic-proof.com/archives/4358proneerhttps://www.blogger.com/profile/09207237439093553010noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-13116783025830325272014-02-25T08:00:03.109-05:002014-02-25T08:00:03.109-05:00Great job, Corey! Great bit of valuable informati...Great job, Corey! Great bit of valuable information. In a timeline, I'd look for the creation of the WER report files at anytime "near" something being executed (such as during user login or application launch).H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com