From 8540b2b6f5f39d0d36bf1c35fcc2d742787db16a Mon Sep 17 00:00:00 2001
From: Blue <OneBlue@users.noreply.github.com>
Date: Tue, 7 Oct 2025 15:52:56 -0700
Subject: [PATCH] Add WTI rule to detect usermode crashes (#13574)

---
 triage/config.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/triage/config.yml b/triage/config.yml
index 9a3a4ad..ae283c5 100644
--- a/triage/config.yml
+++ b/triage/config.yml
@@ -211,6 +211,15 @@ rules:
         capture:
             field1: error
 
+    - logline:
+        provider: Microsoft.Windows.Lxss.Manager
+        task: LinuxCrash
+      set:
+        name: linux-crash
+        capture:
+          field3: linux-crash-path
+          field6: linux-crash-process
+
     - logline:
         provider: Microsoft.Windows.Lxss.Manager
       set: wsl-service-logs
@@ -256,6 +265,11 @@ actions:
         debug_message: 'Detected user visible error: $error'
         skip_similar_issues: false
 
+    - foreach:
+        var: linux-crash
+        debug_message: 'Found evidence of linux crash: $linux-crash-process (dump: $linux-crash-path)'
+        skip_similar_issues: false
+
     - foreach:
         var: disk-attach-error
         debug_message: 'Found evidence of disk failing to attach. Error: $error, Path: $vhdpath'