EDR: Enable Verbose Debug Logging Locally on Windows sensor
search cancel

EDR: Enable Verbose Debug Logging Locally on Windows sensor

book

Article ID: 285756

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • How to enable verbose user and kernel-mode logging locally via Command prompt.

Environment

  • EDR Sensor: Version 5.x and above (Formerly CB Response)
  • EDR Console: Version 5.x and above
  • Microsoft Windows: All Supported Versions

Resolution

  1. Back up the registry prior to enabling logging
  2. Locally enable verbose logging:
    • Open a command prompt as administrator
    • Enter the following two commands:
      • reg add HKLM\Software\CarbonBlack\config /v DebugLevel /t REG_DWORD /d 7
        reg add HKLM\Software\CarbonBlack\config /v KernelDebugLevel /t REG_DWORD /d 7
        
    • The registry setting will not take affect until the user-mode sensor service is requested to update:
      • sc control carbonblack 203
  3. Reproduce the issue
  4. Collect logs: 
    • https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Collect-Windows-Sensor-Diagnostic-Logs-6-2-2/ta-p/93494
    • https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Collect-Windows-Sensor-Diagnostics-Logs-6-2-1-and/ta-p/67648
  5. Disable debug logging from the command prompt
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
      reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
      sc control carbonblack 203
  6. Upload the diagnostics to the CB Vault