Troubleshoot Windows Sensor Installation and Upgrade Issues
search cancel

Troubleshoot Windows Sensor Installation and Upgrade Issues

book

Article ID: 291473

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Troubleshooting Windows Sensor Installation and Upgrade Issues

Environment

  • Carbon Black Cloud Windows Sensor: All supported versions

Resolution

  1. Locate the sensor install file which is specified using /L*vx <logpath>\<logname> via unattended install or if using the attended install is located in one of these three locations 
    C:\Windows\TEMP\
C:\Users\<user>\AppData\Local\Temp\ 
C:\Users\All Users\AppData\Local\Temp\
  2. Once the log has been collected look for all return values ignoring 0's and 1's which are normal. 
    1. Between each return value is a block of code which is being ran and the results are being recorded in the return value.
    2. Look at the above section of code on the first non 0 or 1 for an error. 
    3. If there is a 1603 message for the uninstall of the sensor then find the uninstall log for the previous version of the sensor and follow steps 1 and 2.
  3. Review the error message and search the knowledgebase or locate commonly found examples below.
    1. CA:InstallPreCheck:  Error 0x8000ffff: Incorrect parameters for GPO upgrade.
    2. CAUninstallDriverService: Error 0x80004005: CAUninstallDriverService: Uninstall driver service failed
  4. If not able to resolve please provide the above log specified and open a support case.

Additional Windows Install Troubleshooting Logging

  • Verbose.msi log (Always collect this log when possible)
NOTE
  • If the sensor was installed via attended method, the verbose msi will not be generated
  • If sensor was upgraded via CBC Console then the msi.log will be located in %ProgramData%\CarbonBlack
  • If sensor was installed any other method then the verbose msi will only be created if /L*vx <logpath>\<logname> was used when installing the sensor. If the <logpath> was not specified, then the log will be created in whatever director that the msi was specified to run
  • TCP Dump (Collect only if we suspect a network issue and issue can be reproduced on demand) 
  • Process Monitor (If the issue can be reproduced please run while reproducing the issue)
  • All other Logs (Please contact support to obtain the cbcdisk-v2.ps1 sensor install log collection script)
  1. Copy cbcdisk-v2.ps1 into a directory
  2. Open a command prompt using Run As Administrator
  3. Execute command: powershell -executionpolicy bypass -f .\cbcdisc-v2.ps1
  4. This creates %TEMP%\cbcdisc-<hostname>.zip 
    e.g. 
Capture complete. Capture file is C:\Users\user\AppData\Local\Temp\cbcdisc-hostname.zip

Additional Information

  • The cbcdisk-v2.ps1 log collection script will automatically collect the sensor registration log cb-installer-<sensor.version>.log (post 3.4) or confer-temp.log (3.4 and below) which is usually found in one of the following locations: 
    C:\Windows\TEMP\
    C:\Users\<user>\AppData\Local\Temp\ 
    C:\Users\All Users\AppData\Local\Temp
  • If there is a record for a device's hostname on one of the Inventory pages (Endpoints, VM Workloads, VDI Clones, etc.) where the Status shows Active but the Operating System (OS) and Sensor version fields are blank
    • Registration has succeeded (there is a device_id), but installation has failed
    • Uninstall/reinstall is recommended
Powered by Wolken Software