Check DeviceID On Windows Endpoint

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Explain the steps to confirm the DeviceID of a Windows Sensor on the machine where it is installed

Environment

Carbon Black Cloud Sensor: 3.7.x.x and Higher
Microsoft Windows: All Supported Versions

Resolution

CMD.EXE

Launch an elevated command prompt (right-click cmd.exe > Run as Administrator)

Run the following command

findstr "RegistrationId" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini

The output will be in the following format
```
RegistrationId=<org_id>-<device_id>
```

Powershell

Launch an elevated Powershell.exe instance (right-click powershell.exe > Run as Administrator)

Run the following command

Select-String "RegistrationId" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini

The output will be in the following format

C:\ProgramData\CarbonBlack\DataFiles\cfg.ini:<Line#>:RegistrationId=<org_id>-<device_id>

Note: On Windows Sensor versions 3.6.x and Below the path is C:\Program Files\Confer\cfg.ini
Check: Carbon Black Cloud: How To Check DeviceID On Endpoint (Windows 3.6)

Additional Information

Confirming the DeviceID locally on the machine with the Sensor installed can be helpful in troubleshooting issues and reviewing Alerts and other Events within the Carbon Black Cloud Console
For example, with the DeviceID you can review Events specific to that single device on the Investigate page by replacing <DeviceID> with the ID retrieved using the above method
```
https://<DashboardURL>/investigate?selected[deviceId]=<DeviceID>&selected[selectedTab]=DEVICE&s[searchWindow]=ALL&s[c][DEVICE_ID][0]=<DeviceID>
```
Searching for device_id on applicable Inventory pages will find the device tied to that registration, regardless of the current hostname
- device_id is the unique identifier for a given Sensor in relation to VMware Carbon Black Cloud
- Hostname, IP Address, and Active Directory information are all considered metadata for a device record as they all can be changed

Point of presence (PoP) or Backend can also be found in the cfg.ini file to ensure a given device is registered to the correct PoP/Backend

cmd.exe
\> findstr "BackendServer" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
BackendServer=<Device_Services_URL>

Powershell.exe
\> Select-String "BackendServer" C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
C:\ProgramData\CarbonBlack\DataFiles\cfg.ini:<Line#>:BackendServer=<Device_Services_URL>

Check DeviceID On Windows Endpoint

Article ID: 291852

Updated On:

Products

Issue/Introduction

Environment

Resolution

CMD.EXE

Powershell

Note: On Windows Sensor versions 3.6.x and Below the path is C:\Program Files\Confer\cfg.ini
Check: Carbon Black Cloud: How To Check DeviceID On Endpoint (Windows 3.6)

Additional Information

Feedback

Check DeviceID On Windows Endpoint

Article ID: 291852

Updated On:

Products

Issue/Introduction

Environment

Resolution

CMD.EXE

Powershell

Note: On Windows Sensor versions 3.6.x and Below the path is C:\Program Files\Confer\cfg.iniCheck: Carbon Black Cloud: How To Check DeviceID On Endpoint (Windows 3.6)

Additional Information

Feedback

Note: On Windows Sensor versions 3.6.x and Below the path is C:\Program Files\Confer\cfg.ini
Check: Carbon Black Cloud: How To Check DeviceID On Endpoint (Windows 3.6)