To collect a procdump to aid in troubleshooting performance cases

• Carbon Black Cloud Console: All Supported Versions
• Carbon Black Cloud Windows Sensor: All Versions
• Microsoft Windows: All Supported Versions
• ProcDump: Latest Version

1. Download ProcDump tool via https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
2. Open admin CMD prompt.
3. Run command:

   cd c:\program files\confer
   repcli bypass 1
   sc qprotection cbdefense --Result will show either ANTIMALWARE LIGHT or None
   repcli registerProtectedSvcs 0 --This can be skipped if result of previous command is "none"
   repcli unlock <uninstall-code>
   repcli deletepolicy 1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D
   repcli stopCbServices
   sc start cbdefense
   repcli bypass 0

4. Change directory to where procdump was saved
5. Use TaskManager to identify the Process ID (PID) for the process causing the CPU spike (Task Manager > More Details > Details tab)
6. In the Command Prompt, execute the following command: "procdump.exe -ma -s 5 -n 5 [PID]" with the value for the application's PID in the field marked without the square brackets.
7. This command will capture a user dump sample of the spiking process every 5 seconds 5 times.
   • Please allow the process to remain running for these 25 seconds at least to allow this to complete.
   • The logs will be generated in the same directory as procdump.exe is executed from
8. Run commands:

   cd c:\program files\confer
   repcli bypass 1
   repcli registerProtectedSvcs 1 -- Unnecessary if was skipped in step 3
   repcli restorepolicy
   repcli stopCbServices
   if using a sensor version prior to 3.6.0.1897, edit cfg.ini and remove "UnregisterProtected=True"
   sc start cbdefense
   repcli bypass 0

9. Please zip all files and upload them to the Wolken Support case.
10. Once the upload completes, please comment on the support case that the data is available for review