EDR: How to Collect Windows Sensor Diagnostic Logs (6.1.13)
search cancel

EDR: How to Collect Windows Sensor Diagnostic Logs (6.1.13)

book

Article ID: 288104

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Generate a Windows endpoint report for diagnostic and troubleshooting purposes.

Environment

  • EDR Windows Sensor: 6.1.13
  • Windows OS: All supported versions

Resolution

  1. Download https://community.carbonblack.com/t5/Knowledge-Base/CbDiag-exe-zip/ta-p/36435
  2. Open Windows Command Prompt (cmd.exe)
  3. Run cbdiag.exe with admin permissions
  4. Press Enter or 0 to select "Take a new diag" option
CbDiag.exe prompt
Sample Output:
CbDiag.exe prompt and output

Additional Information

  • More utility options:
CbDiag.exe /?
  • The resulting file is generated in the same directory as the cbdiag.exe utility.
  • Resulting file name format:  <date-time>.diag.gz
  • Administrator permissions require access to system file paths and registry keys.
  • Disable CB Tamper Protect Updater if Cb Protection is installed. 
  • If applicable, locally approve the utility hash within your CB Protection Web UI
MD5: ee1ca8d128cef17d19ede004bc774c29
  • Sensor reports under 25 MB can be attached directly to a Carbon Black Technical Support case. 
  • Files larger than 25 MB should be uploaded to CB Vault.
Data collected:
  • Basic System Information
  • Carbon Black product logs
  • System event logs
  • System Crash dumps
  • Cb product registry keys 
  • System registry keys related to crash dumps
  • Cb product binary information
  • Running system drivers and processes
  • Installed system services, hardware, software