The output.tmp file is occupying excessive disk space in EDR's c:\windows\carbonblack directory
search cancel

The output.tmp file is occupying excessive disk space in EDR's c:\windows\carbonblack directory

book

Article ID: 291799

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

A file called ‘output.tmp’ resides in the c:\windows\carbonblack folder on a Windows endpoint which appears to be taking up gigabytes of disk space
 

Environment

EDR Windows:  All versions

Cause

A user creates files within the registry using Live Response and doesn’t include the “/y” switch to overwrite any existing file. If this command is run without “/y” twice, it will appear to hang the second time and a huge file is created containing the contents of ‘output.tmp’

Resolution

Use the "/y" (overwrite) option when exporting registry contents in CbLR. Console commands that present an interactive prompt to the user may have this behavior. Remember to treat "execfg" CbLR commands as standalone instructions where no user interaction is possible, and test thoroughly before running a command across a large number of computers.
Powered by Wolken Software