How to Access RepCLI with Live Response
search cancel

How to Access RepCLI with Live Response


Article ID: 288873


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


Access the RepCLI utility during a Live Response session


  • Carbon Black Cloud Sensor: 3.3.x.x and higher
  • Carbon Black Cloud Console: All versions
  • Microsoft Windows: All supported versions


  1. Initiate a Live Response session from the Console (Endpoints > Go Live)
  2. Change directory repcli.exe location or format commands with the full path
    cd C:\Program Files\Confer
  3. Preface repcli commands with "execfg"
    execfg repcli status

Additional Information

  • The Live Response session runs on the local machine as Local System
  • The Windows Local System SID will need to be authenticated to provide full RepCLI access
  • The Windows System SID is S-1-5-18
  • This can be confirmed within the LR session
    execfg whoami /user
    User Name             SID 
    ===================   ======== 
    nt authority\system   S-1-5-18
  • 3.5.x.x and higher Sensors do not require a SID for authenticated RepCLI commands when run via Live Response
    • One caveat for 3.5.x.x - Sensors is that Bypass mode can be turned on via RepCLI during Live Response but cannot be turned off via RepCLI
    • The above caveat is resolved in and higher Sensor versions