drop registry export and mft csv · detect crash dump generation disabled or dumps deleted · identify processes that crashed without leaving minidumps · surface kernel crash dump configuration tampering · runs locally
CrashControl · WER LocalDumps · MEMORY.DMP · Minidump folder · Event 41 / 1001 · USN delete on *.dmp
drop registry export · mft csv · optional system evtx / usn journal