I had the opportunity the other day to take a look at some a scenario with a 3rd party product. When one of my colleagues ran the Administration console for the product it crashed on start. I dug out Process Monitor and set it to capture every system call that occurred at the time of the failure. Ultimately it turned out that we needed the client installed at the same time as the Admin console.
The interesting bit was that you could trace the process crash. When the console application hit an unrecoverable error the crashing process itself starts up a new thread which examines a number of crash dump handler registry locations including HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting and its GPO equivalent amongst others. It also looks whether it should show a dialog message showing the failure by examining HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI. These locations determine what specific action there is to take.
In my case the entry HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\Installed\DW0200 dictated that we had the Dr. Watson handler installed on the machine. The thread then does some stuff around opening the executable image that is crashing then starts the Dr. Watson executable DW20.exe by creating a process, start the process and then the first thread starts running:
The Dr. Watson program (DW20.exe) then displays the crash dialog the users sees. Fascinating stuff.
Process Monitor monitors system calls in the Windows OS – it feels very much like the Linux command ‘strace’ or its SVR4/Solaris equivalent ‘truss’