Enable Verbose Debug Logging Remotely on Windows Sensor
search cancel

Enable Verbose Debug Logging Remotely on Windows Sensor

book

Article ID: 285757

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to enable verbose user and kernel-mode logging remotely using the Live Response feature in EDR.

Environment

  • EDR Sensor: All Versions
  • EDR Server: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Back up the registry prior to enabling logging
  2. Remotely enable verbose logging:
    • Establish a Live Response session with the endpoint
    • Enter the following two commands within Live Response:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7
reg add HKLM\Software\CarbonBlack\config -v KernelDebugLevel -t REG_DWORD -d 7
  • The registry setting will not take affect until the user-mode sensor service is restarted
execfg cmd.exe /K "sc control carbonblack 203"
  1. Reproduce the issue
  2. Collect logs.
  3. Disable verbose logging in Live Response 
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
execfg cmd.exe /K "sc control carbonblack 203"
  4. If necessary, upload the log files to the tech support case.
Powered by Wolken Software