Carbon Black Cloud: How to Collect a ProcDump
search cancel

Carbon Black Cloud: How to Collect a ProcDump

book

Article ID: 286139

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

To collect a procdump to aid in troubleshooting performance cases

Environment

  • Carbon Black Cloud: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Download ProcDump tool via https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
  2. Open admin CMD prompt.
  3. Run command: 
    cd c:\program files\confer
repcli bypass 1
sc qprotection cbdefense --Result will show either ANTIMALWARE LIGHT or None
repcli registerProtectedSvcs 0 --This can be skipped if result of previous command is "none"
repcli unlock <uninstall-code>
repcli deletepolicy 1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D
repcli stopCbServices
sc start cbdefense
repcli bypass 0
  4. Change directory to where procdump was saved
  5. Use TaskManager to identify the Process ID (PID) for the process causing the CPU spike (Task Manager > More Details > Details tab)
  6. In the Command Prompt, execute the following command: "procdump.exe -ma -s 5 -n 5 [PID]" with the value for the application's PID in the field marked without the square brackets.
  7. This command will capture a user dump sample of the spiking process every 5 seconds 5 times.
    • Please allow the process to remain running for these 25 seconds at least to allow this to complete.
    • The logs will be generated in the same directory as procdump.exe is executed from
  8. Run commands: 
    cd c:\program files\confer
repcli bypass 1
repcli registerProtectedSvcs 1 -- Unnecessary if was skipped in step 3
repcli restorepolicy
repcli stopCbServices
if using a sensor version prior to 3.6.0.1897, edit cfg.ini and remove "UnregisterProtected=True"
sc start cbdefense
repcli bypass 0
  9. Please zip all files and upload them to the CB Vault here - https://community.carbonblack.com/groups/cb-vault
  10. Once the upload completes, please comment on the support case that the data is available for review
Powered by Wolken Software