Carbon Black App Control (formerly Cb Protection)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Steps to capture a Windows Performance Recorder (WPR) trace for troubleshooting & diagnosis of an issue.
Environment
All Products
Microsoft Windows: All Supported Versions
Resolution
Command Line:
The command line version of WPR is included by default on Windows 10 and above.
Launch an administrative command prompt and issue the following commands:
cd "C:\Windows\System32" wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter
Launch Windows Performance Recorder and click More options. Configure as follows:
First Level Triage: Enabled.
Resource Analysis: Enable the following...
CPU Usage
Disk I/O activity
File I/O activity
Networking I/O activity
Scenario Analysis: Enable the following...
Minifilter I/O activity
Performance scenario: General
Detail Level: Verbose
Logging Mode: File
Click Start.
Reproduce the issue, then click on the Save button
Choose a location for the WPR capture.
Zip the resulting file and provide to Support.
Additional Information
EDR Sensor version 7.2.0 and higher will need Tamper Protection temporarily disabled to allow access to cb.exe for stack trace information.
By default the WPR capture is saved in
C:\Users\<User>\Documents\WPR Files\
WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive. This will allow the application to collect more-complete stack information. If it does change the registry, a reboot will be required for the setting to take effect.
If the computer OS is Windows 7, use an administrative command prompt to reverse these registry modifications manually after the recording:
wpr -disablepagingexecutive off
Windows 8 and above does not need to have these modifications reversed manually.