Carbon Black Cloud: How to Collect a ProcDump
search cancel

Carbon Black Cloud: How to Collect a ProcDump


Article ID: 286139


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


To collect a procdump to aid in troubleshooting performance cases


  • Carbon Black Cloud: All Supported Versions
  • Microsoft Windows: All Supported Versions


  1. Download ProcDump tool via
  2. Open admin CMD prompt.
  3. Run command:
    cd c:\program files\confer
    repcli bypass 1
    sc qprotection cbdefense --Result will show either ANTIMALWARE LIGHT or None
    repcli registerProtectedSvcs 0 --This can be skipped if result of previous command is "none"
    repcli unlock <uninstall-code>
    repcli deletepolicy 1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D
    repcli stopCbServices
    sc start cbdefense
    repcli bypass 0
  4. Change directory to where procdump was saved
  5. Use TaskManager to identify the Process ID (PID) for the process causing the CPU spike (Task Manager > More Details > Details tab)
  6. In the Command Prompt, execute the following command: "procdump.exe -ma -s 5 -n 5 [PID]" with the value for the application's PID in the field marked without the square brackets.
  7. This command will capture a user dump sample of the spiking process every 5 seconds 5 times.
    • Please allow the process to remain running for these 25 seconds at least to allow this to complete.
    • The logs will be generated in the same directory as procdump.exe is executed from
  8. Run commands:
    cd c:\program files\confer
    repcli bypass 1
    repcli registerProtectedSvcs 1 -- Unnecessary if was skipped in step 3
    repcli restorepolicy
    repcli stopCbServices
    if using a sensor version prior to, edit cfg.ini and remove "UnregisterProtected=True"
    sc start cbdefense
    repcli bypass 0
  9. Please zip all files and upload them to the CB Vault here -
  10. Once the upload completes, please comment on the support case that the data is available for review