EDR: LiveResponse Exception Encountered When Querying REG_BINARY Items
Article ID: 287429
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Exception encountered when querying REG_BINARY items:
[DESKTOP-0475U5L] C:\WINDOWS\CarbonBlack> reg query HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 -v 'Component Information'
Error: Internal Server Error - <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>VMWware Carbon Black EDR</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
body
{ background-color: rgb(234, 240, 246); color: rgb(51, 51, 51); cursor: auto; line-height: 1.4; font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 13px; font-style: normal; font-weight: 400; }
#error-container
{ display: flex; flex-direction: row; justify-content: center; align-items: center; height: 400px; }
</style>
</head>
<body>
<div id="error-container">
<div style="text-align: right">
<img src="/images/cb.png">
</div>
<div style="text-align: left">
<h1>500:
Internal Server Error</h1>
<h3>Whoa! Sorry about that!</h3>
<p>Not sure what happened, but it's not meant to work like that!</p>
<p>If you're seeing this consistently, can you tell us about it so we can fix it?
Send us an email at <a href="mailto:[email protected]" target="_new">[email protected]</a>.</p>
</div>
</div>
</body>
</html>
- Exception output in the /var/log/cb/liveresponse/debug.log:
2021-10-12 14:51:37 [762628] <err> cb.liveresponse.lr_api_blueprint - Unhandled exception from API request. Traceback (most recent call last): File "/usr/share/cb/virtualenv/lib64/python3.9/site-packages/flask/app.py", line 1950, in full_dispatch_request rv = self.dispatch_request() File "/usr/share/cb/virtualenv/lib64/python3.9/site-packages/flask/app.py", line 1936, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/usr/share/cb/virtualenv/lib/python3.9/site-packages/cb/auth/authn_service.py", line 387, in wrapped_f File "/usr/share/cb/virtualenv/lib/python3.9/site-packages/cb/liveresponse/utils.py", line 22, in wrapped_f File "/usr/share/cb/virtualenv/lib/python3.9/site-packages/cb/liveresponse/lr_api_blueprint.py", line 234, in command File "/usr/share/cb/virtualenv/lib/python3.9/site-packages/cb/liveresponse/lr_api_blueprint.py", line 31, in make_response_simplejson File "/usr/share/cb/virtualenv/lib64/python3.9/site-packages/simplejson/_init_.py", line 395, in dumps return _default_encoder.encode(obj) File "/usr/share/cb/virtualenv/lib64/python3.9/site-packages/simplejson/encoder.py", line 296, in encode chunks = self.iterencode(o, _one_shot=True) File "/usr/share/cb/virtualenv/lib64/python3.9/site-packages/simplejson/encoder.py", line 378, in iterencode return _iterencode(o, 0) UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 12: invalid start byte During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/cb/virtualenv/lib/python3.9/site-packages/cb/liveresponse/lr_api_blueprint.py", line 96, in unhandled_exception AttributeError: 'UnicodeDecodeError' object has no attribute 'code'
Environment
- EDR Server: 7.x Versions
Cause
This issue is being investigated by VMWare CB Engineering.
Resolution
The issue can be worked around by using the execfg command instead:
[DESKTOP-0475U5L] C:\WINDOWS\CarbonBlack> execfg reg query HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 /v "Component Information"
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0
Component Information REG_BINARY 000000000000000000000000FFFFFFFF
Feedback
Yes
No
Powered by
