App Control: How to generate agent dump files using ProcDump
book
Article ID: 286237
calendar_today
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
To create a memory dump file for the App control Agent using ProcDump.
Environment
App Control Agent: All versions.
Microsoft Windows client: Vista and higher.
Microsoft Windows Server :2008 and higher.
ProcDump: any version
Resolution
Logon into the affected end point.
Download ProcDump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and unzip and place it in C:\Dumps
Disable tamper protections from Assets —> Computers —> View machine details —> on the right hand side select ‘Disable Tamper Protection’ or by executing a CMD as admin in the affected end point and enter the below commands :
cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password <your global or CLI password without the brakes>
dascli tamperprotect 0
Open an elevated command prompt and enter the following:
cd "C:\Dumps"
procdump.exe -e -ma -w parity.exe
Leave this window open at all times, even if you logout from there machine, otherwise the ProcDump will stop running and it needs to be constantly monitoring until the issue is detected.
Once the parity.exe crashes it should generated a dmp file in C:\Dumps, please zip this files and upload to the cb vault