Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI
search cancel

Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI

book

Article ID: 286119

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Use RepCLI to generate a live memory dump 

Environment

  • Carbon Black Cloud Sensor: 3.5.0.1523 and higher
  • Microsoft Windows: All supported versions 

Resolution

  1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI authentication 
  2. For Windows 7 and 8.0 Machines, proceed to next steps.  For Windows 8.1 and higher (including Windows 10), enable kernel debug logging prior to next steps. 
  3. Launch a Command Prompt
  4. Run commands: 
    cd C:\Program Files\Confer
repcli unlock <uninstall-code>
repcli LiveMemDump
  5. The following results will print to the command line 
    DebugHandler::LiveMemDump: Successfully created live memory dump file: c:\Program Files\Confer\RepCLI_MemDump.dmp
Successfully set FileSecurity::DEFAULT_PRIVILEGE_LEVEL on the file
  6. RepCLI_MemDump.dmp can now be gathered with Sensor logs through the support console
  7. To manually access or later delete the RepCLI_MemDump.dmp file, the file permissions must be relaxed with the following command 
    RepCLI FileAccess Relaxed
  8. The following results will print to the command line 
    Successfully set file access for all 1 tracked files.
 Result List:
  File: c:\Program Files\Confer\RepCLI_MemDump.dmp -- Effective PrivilegeMask: USERS, ADMINS, SYSTEM
  9. If manually gathering the dump file, please compress prior to uploading to CBvault
  10. Disable Kernel debug logging on Windows 8.1 and higher to prevent performance and disk space issues

Additional Information

  • The live memory dump will generate a full memory dump (depending on OS configuration) without crashing the system
  • For Windows 7 and 8.0, both kernel and user memory are included in the dump (that is considered a full memory dump)
  • For Windows 8.1 and higher (including Windows 10), live dumps require Kernel debugging to be enabled for a full memory dump (only kernel memory will be dumped unless debugging is enabled)
  • Memory dump size will vary when gathering a live dump
  • Windows 7 live memory dumps are typically larger than the total RAM
  • Windows 10 live memory dumps are typically smaller than total RAM
  • If the LiveMemDump command is run before a previous LiveMemDump command completes, the command will print a failure message to the command line
Powered by Wolken Software