Endpoint Standard: How to Turn On Live Response Memory Dump Capability in Sensor Version 3.3.x and 3.4.x
search cancel

Endpoint Standard: How to Turn On Live Response Memory Dump Capability in Sensor Version 3.3.x and 3.4.x

book

Article ID: 287602

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Turn on Live Response Memory Dump capability on a by-machine-basis via the registry.

Environment

  • CB Cloud: All Versions
  • Endpoint Standard (Windows): 3.3.x and 3.4.x

Resolution

       1. Place the sensor in bypass mode.
       2. Open Command Prompt as an Administrator.
       3. Set the registry value: 
reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Services\ctifile /v InitializePhysicalMemoryDump /t REG_DWORD /d 1 /f
       4. Take the sensor out of bypass mode.
       5. Reboot the machine for the change to take effect.
 

Additional Information

The LiveResponse memdump command was previously observed to cause crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default on sensor 3.5.x and no longer causes crashes.
Powered by Wolken Software