How to troubleshoot RepMgr service Memory Leak (Windows)
search cancel

How to troubleshoot RepMgr service Memory Leak (Windows)

book

Article ID: 284991

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Prevention Carbon Black Cloud Workload

Issue/Introduction

How to troubleshoot Memory Leak (Windows)

Environment

  • Carbon Black Cloud Console: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Identify the Device ID/Name
  2. Enable UMDH Logging
  3. Put the sensor in Unprotected Mode.
  4. Collect User dump
    1. Download procdump.exe from https://live.sysinternals.com/
    2. Create a folder “c:\umdhdumps” and copy procdump.exe to the folder.
    3. Open CMD/DOS Window in Local Admin account and navigate to c:\umdhdumps
    4. repcli bypass 1 (Note: use CMD/DOS Window that is in C:\Program Files\Confer).
    5. run the following command to create first user dump file of repmgr.exe in folder c:\umdhdumps after locating the actual PID.
      •  procdump -ma <RepMgr-PID>
    6. repcli bypass 0 (Note: use CMD/DOS Window that is in C:\Program Files\Confer).
    7. Use task manager to monitor the repmgr memory growth and we will collect two more user dumps at two different memory usage levels. 
    8. Example Scenario, repmgr memory usage 80-90% the endpoint experiences performance issue. Soon as we restart the service collect 1st dump to provide us a baseline. Second sample we will capture at 50% of memory usage and the third one at 75% usage following the steps below.
      1. repcli bypass 1 (Note: use CMD/DOS Window that is in C:\Program Files\Confer).
      2. run the following command to create second user dump file of repmgr.exe in folder c:\umdhdumps.
        • procdump -ma <RepMgr-PID>
      3. repcli bypass 0 (Note: use CMD/DOS Window that is in C:\Program Files\Confer).
    9. Zip up the 3 sets of user dumps (Start, 50% and 75%) in c:\umdhdumps for postmortem analysis.
  5. Collect Carbon Black Cloud Sensor Logs Locally 
  6. Rollback settings after collecting all 3 dump files
    1. repcli bypass 0 (Note: use CMD/DOS Window that is in C:\Program Files\Confer).
    2. Delete registry Key defined in UMDH Logging
    3. Re-Enable Protected Mode in the additional notes section of Unprotected Mode KB.
  7. Create a Support Case including the UMDH and Sensor Logs. 
Powered by Wolken Software