These instructions should only be used at the direction of VMWare Carbon Black Support team. Please open a Support Case and the Sensor Capture Script will be provided to collect the logs below if needed.
Prerequisites
- RepCLI Authentication must be enabled. If RepCLI Authentication was not enabled during the initial sensor install then RepCLI Authentication can be enabled on existing sensor installations
- Create a folder where all logs will be saved. For the purposes of this document, this location will be referenced as C:\temp although the C:\temp file location can be replaced with whatever location you have specified for saving the log files.
- Download the cbc-sensor-capture.ps1.zip attached to the Support Case
- Copy cbc-sensor-capture.ps1 to C:\temp
- Download download ProcmonLowAlt.exe.zip at the bottom of How to Collect a low Altitude Procmon Capture or download Procmon directly from Microsoft and configure as per Option 2.
- Unzip procmon and copy to C:\temp
NOTE: For sensor 3.8 and above,
RepCLI Repro can be used to collect this data, but Procmon.exe must be downloaded directly from Microsoft as the ProcmonLowAlt.zip attached to
How to Collect a low Altitude Procmon Capture cannot be used as this version of procmon is not signed by a valid publisher. RepCLI Repro can only invoke procmon when it has been signed by a valid publisher.
- Ensure wpr.exe exists in C:\Windows\System32\
NOTE: If C:\Windows\System32\wpr.exe does not exist, download
Debugging Tools for Windows and at the "Select the features you want to download" install prompt deselect all other options except "Windows Performance Toolkit". WPR.exe will download to C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit by default. Once downloaded copy wpr.exe to C:\Windows\System32\
Sensor Active
Reproduce the behavior when Sensor is Active
- Open Command Prompt using the "Run As Administrator" option
- Change Directory to C:\temp
C:\WINDOWS\system32>cd to C:\temp
C:\temp>
- Run the following command to reset sensor counters and retain PSC events
C:\temp>Powershell -ExecutionPolicy bypass -f cbc-sensor-capture.ps1 keepevents
- When the Enter the uninstall code to unlock restricted RepCLI commands.: prompt is presented, enter the uninstall code
- When "Hit enter to stop trace and collect logs.:" presents, start to reproduce the behavior
- Document exact steps taken to reproduce to provide to Support
- Note local machine time when testing started, and timezone of machine
- Note local time when issue occurred
- Once behavior is fully reproduced, press Enter to exit the capture
- A zip will be created with the device hostname, date and time of the capture (i.e. hostname-YYYYDDMMHHMMSS.zip). Prefix with "keepevents-active" (i.e. keepevents-active-hostname-YYYYDDMMHHMMSS.zip)
- Run the following command to start wpr trace depending on the estimated time needed to reproduce
More than 5 minutes
C:\temp>powershell -ExecutionPolicy bypass -f c:\temp\cbc-sensor-capture.ps1 wpr
Less than 5 minutes
C:\temp>powershell -ExecutionPolicy bypass -f c:\temp\cbc-sensor-capture.ps1 minifilter
- When "Hit enter to stop trace and collect logs.:" presents, start to reproduce the behavior
- Once behavior is fully reproduced, press Enter to exit the capture
- Document exact steps taken to reproduce to provide to Support
- Note local machine time when testing started, and timezone of machine
- Note local time when issue occurred
- A folder will be created with the device hostname, date and time of the capture (i.e. hostname-YYYYDDMMHHMMSS.zip). Prefix with "wpr-active" (i.e. wpr-active-hostname-YYYYDDMMHHMMSS.zip)
NOTE: If the files are too large, the script may be unable to zip the folder. In this case, please manually compress the folder into a zip file.
NOTE: If the issue takes longer than 10 minutes to reproduce the issue, then the resulting log files may take up excessive disk space
- Run the following command to start procmon
C:\temp>powershell -executionpolicy bypass -f c:\temp\cbc-sensor-capture.ps1 procmon
- When "Hit enter to stop trace and collect logs.:" presents, start to reproduce the behavior
- Once behavior is fully reproduced, press Enter to exit the capture
- A zip will be created with the device hostname, date and time of the capture (i.e. hostname-YYYYDDMMHHMMSS.zip). Prefix with "procmon-active" (i.e. procmon-active-hostname-YYYYDDMMHHMMSS.zip)
NOTE: If the files are too large, the script may be unable to zip the folder. In this case, please manually compress the folder into a zip file
NOTE: If the issue takes longer than 10 minutes to reproduce the issue, then the resulting log files may take up excessive disk space
Sensor Bypass
Reproduce the behavior when Sensor is in Bypass
- Run the following command to start wpr trace depending on the estimated time needed to reproduce
More than 5 minutes
C:\temp>powershell -ExecutionPolicy bypass -f c:\temp\cbc-sensor-capture.ps1 wpr bypass
Less than 5 minutes
C:\temp>powershell -ExecutionPolicy bypass -f c:\temp\cbc-sensor-capture.ps1 minifilter bypass
- When "Hit enter to stop trace and collect logs.:" presents, start to reproduce the issue
- Once issue fully reproduced, press Enter to exit the capture
- Document exact steps taken to reproduce to provide to Support
- Note local machine time when testing started, and timezone of machine
- Note local time when issue occurred
- A folder will be created with the device hostname, date and time of the capture (i.e. hostname-YYYYDDMMHHMMSS.zip). Prefix with "wpr-bypass" (i.e. wpr-bypass-hostname-YYYYDDMMHHMMSS.zip)
- Run the following command:
C:\temp>powershell -executionpolicy bypass -f c:\temp\cbc-sensor-capture.ps1 procmon bypass
- When "Hit enter to stop trace and collect logs.:" presents, start to reproduce the issue
- Once the behavior has been reproduce, press Enter to exit the capture
- A folder will be created with the device hostname, date and time of the capture (i.e. hostname-YYYYDDMMHHMMSS.zip). Prefix with "procmon-bypass" (i.e. procmon-bypass-hostname-YYYYDDMMHHMMSS.zip)
- Go to C:\temp and zip the files below and rename zip as perfcapture-logs.zip
- keepevents-active-hostname-YYYYDDMMHHMMSS.zip
- wpr-active-hostname-YYYYDDMMHHMMSS.zip
- procmon-active-hostname-YYYYDDMMHHMMSS.zip
- wpr-bypass-hostname-YYYYDDMMHHMMSS.zip
- procmon-bypass-hostname-YYYYDDMMHHMMSS.zip
- Upload the zip files created in C:\temp to the case for support to review