Carbon Black App Control (formerly Cb Protection)Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Steps to capture a Windows Performance Recorder (WPR) trace for troubleshooting & diagnosis of an issue.
Environment
All Products
Microsoft Windows: All Supported Versions
Resolution
The command line version of WPR is included by default on Windows 10 and above.
WPR Capture from Command Line:
For a Standard WPR Capture:
Launch an administrative command prompt and issue the relevant command:
cd "C:\Windows\System32" wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter
Reproduce the issue.
Stop and capture the Standard WPR:
wpr -stop "C:\Temp\WPRCapture.etl"
Zip the resulting file and provide to Support.
For a Boot WPR Capture:
Launch an administrative command prompt and issue the relevant command:
cd "C:\Windows\System32" wpr -addboot CPU -addboot diskio -addboot fileio -addboot registry -addboot network -addboot minifilter
After login, immediately open Command Line as Admin and stop the capture:
cd "C:\Windows\System32" wpr -stopboot "C:\Temp\WPRCapture.etl"
Launch Windows Performance Recorder and click More options. Configure as follows:
First Level Triage: Enabled.
Resource Analysis: Enable the following...
CPU Usage
Disk I/O activity
File I/O activity
Networking I/O activity
Scenario Analysis: Enable the following...
Minifilter I/O activity
Performance scenario: General
Detail Level: Verbose
Logging Mode: File
Click Start.
Reproduce the issue, then click on the Save button
Choose a location for the WPR capture.
Zip the resulting file and provide it to Support.
Additional Information
EDR Sensor version 7.2.0 and higher will need Tamper Protection temporarily disabled to allow access to cb.exe for stack trace information.
By default the WPR capture is saved in
C:\Users\<User>\Documents\WPR Files\
WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive. This will allow the application to collect more-complete stack information. If it does change the registry, a reboot will be required for the setting to take effect.
If the computer OS is Windows 7, use an administrative command prompt to reverse these registry modifications manually after the recording:
wpr -disablepagingexecutive off
Windows 8 and above does not need to have these modifications reversed manually.