CB Defense: How to Toggle Kernel Debug Logging To Gather A Full Memory Dump
search cancel

CB Defense: How to Toggle Kernel Debug Logging To Gather A Full Memory Dump

book

Article ID: 287055

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Toggle kernel debug logging in Windows to gather a full live memory dump (User and Kernel memory space)

Environment

  • Microsoft Windows: Windows 8.1 and higher (including Windows 10)
  • CB Defense PSC Sensor: 3.5.x.x and higher 

Resolution

  1. Open a command prompt as Administrator
  2. Enter the following command 
    bcdedit /debug on
  3. Reboot the machine 
  4. After gathering a full live memory dump, disable kernel debug logging 
    bcdedit /debug off
  5. Reboot the machine

Additional Information

  • Kernel debug logging is required in Windows 8.1 and higher to gather live dumps of user memory in addition to kernel memory
  • Debugging only needs to be enabled just prior to gathering the memory dump
  • Kernel debug logging is not required to gather a full live memory dump from Windows 7-8.0 machines when using RepCLI
Powered by Wolken Software