EDR: How to collect a Procmon for Boot/Login Sensor Performance
search cancel

EDR: How to collect a Procmon for Boot/Login Sensor Performance

book

Article ID: 287955

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to collect a Procmon capture for performance issues related Boot or Login with the CB EDR sensor

Environment

  • Carbon Black EDR (Formerly CB Response) Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Download the latest Process Monitor (Procmon) from sysinternals
  2. Unzip and place Procmon in an easy to find location
  3. Open Procmon and Press Ctrl+E to stop the capture
  4. Go to Options > Enable Boot Logging > Generate Thread Profiling every second
  5. Go to Filter and uncheck the filtering "Process Name is System"
  6. Reboot the machine
  7. After the machine has come up, open Procmon immediately. You will be asked to save what was captured
  8. Save the file as .PML
  9. Zip the PML file before sending, they compress well. 
  10. Upload the capture to CBVault

Additional Information

  • Sensor Diagnostics will need to be captured along with the Procmon capture (See Related Content)
  • For other performance issues (See Related Content)
  • Do not put any additional filters in place
Powered by Wolken Software