How to Enable Kernel Driver Logging on Startup (Windows)
search cancel

How to Enable Kernel Driver Logging on Startup (Windows)

book

Article ID: 286644

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to enable the Agent's Kernel Driver logging on startup.

Environment

  • App Control Agent: All Supported Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Open a command prompt as Administrator and execute the following commands: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
dascli password GlobalCLIPassword
dascli tamperprotect 0
net stop parity
fltmc unload paritydriver
  2. Click Start > Run > regedit > OK.
    • Add or Update the FlagsEx value in HKLM\SYSTEM\CurrentControlSet\services\paritydriver\Parameters
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\paritydriver\Parameters]

FlagsEx REG_DWORD 0x80000000
  • Under HKLM\CurrentControlSet\Control\WMI\Autologger\ create a new key called ParityDriver and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver]

BufferSize REG_DWORD 0x10000
ClockType REG_DWORD 0x00002
FileName REG_SZ C:\Temp\Autolog.etl
LogFileMode REG_DWORD 0x4
GUID REG_SZ {5CBD99EC-AFCE-4FA0-A9ED-0E8C5F7F32FD}
Start REG_DWORD 0x00000001
Status REG_DWORD 0x00000000
  • Under HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver create a new key called {15565A80-7AAB-4752-A686-0F14408092C7} and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}]

Enabled REG_DWORD 0x00000001
EnableFlags REG_DWORD 0x07ffffff
EnableLevel REG_DWORD 0x00000004
Status REG_DWORD 0x00000000

This key matches the App Control application GUID and it is critical that it matches the provided value

  1. Reboot the machine and verify that the C:\Temp\Autolog.etl file has been created
  2. Open regedit and check that the Status value under ParityDriver is 0 and that the Enabled value under ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}] is 1
  3. When done with reproducing the issue and collecting the ETL file log, make sure to remove the "flagsex" and ParityDriver key on Autologger from the registry to avoid continuous logging that can take up disk space
  4. Do another reboot to terminate the logging
  5. Verify that the C:\Temp\Autolog.etl has a non-zero size and provide it along with the captured diagnostic file

Additional Information

Note: For Enabling Agent 'Service' Trace Logging from Startup, please reference this Kb 

Powered by Wolken Software