EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 1001ErrorApplication

Windows Event ID 1001Windows Error Reporting — Application or System Crash

Logged by Windows Error Reporting when an application crashes or a BSOD occurs, including the fault module and exception code.

Why It Matters

Provides the crash analysis that Event ID 41 lacks. The faulting module name often identifies the driver or application causing instability.

Key Fields

Faulting Application / Module NameWhat crashed — system process faults (lsass.exe, ntoskrnl.exe) are highest severity
Exception Code0xc0000005 = access violation, 0x80000003 = breakpoint, etc.
Faulting Module PathPath to the crashing component — third-party drivers in System32 are common culprits

Investigation Tips

  1. 1.lsass.exe crashes can be caused by credential dumping tools — investigate the surrounding timeline.
  2. 2.Third-party driver paths in Faulting Module Name point to the vendor responsible for the instability.
  3. 3.Recurring crashes with the same module + exception code confirm a specific root cause.

Related Event IDs

41Kernel power — system-level crash
1000Application error — non-crash application faults

See Event ID 1001 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects windows error reporting — application or system crash patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →