App Control: How to generate agent dump files using ProcDump
Article ID: 286237
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
To create a memory dump file for the App control Agent using ProcDump.
Environment
- App Control Agent: All versions.
- Microsoft Windows client: Vista and higher.
- Microsoft Windows Server :2008 and higher.
- ProcDump: any version
Resolution
- Logon into the affected end point.
- Download ProcDump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and unzip and place it in C:\Dumps
- Disable tamper protections from Assets —> Computers —> View machine details —> on the right hand side select ‘Disable Tamper Protection’ or by executing a CMD as admin in the affected end point and enter the below commands :
cd "C:\Program Files (x86)\Bit9\Parity Agent" dascli password <your global or CLI password without the brakes> dascli tamperprotect 0
- Open an elevated command prompt and enter the following:
cd "C:\Dumps" procdump.exe -e -ma -w parity.exe
- Leave this window open at all times, even if you logout from there machine, otherwise the ProcDump will stop running and it needs to be constantly monitoring until the issue is detected.
- Once the parity.exe crashes it should generated a dmp file in C:\Dumps, please zip this files and upload to the cb vault
https://community.carbonblack.com/t5/CB-Vault/gp-p/g-4922
Additional Information
Feedback
Yes
No
Powered by
