How do Sensors determine Username information in Carbon Black Cloud console?

search cancel

How do Sensors determine Username information in Carbon Black Cloud console?

book

Article ID: 291906

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Audit and Remediation (formerly Cb Live Ops)

Issue/Introduction

Where does the information for User (loginUserName) and Installed By come from for each Sensor/OS

Environment

Carbon Black Cloud Console: All Versions
Carbon Black Cloud Sensor: All Versions
Apple macOS: All Supported Versions
Linux: All Supported Versions
Microsoft Windows: All Supported Versions

Resolution

Apple macOS

At time of Install: populated using GetConsoleUser key from the System Configuration dynamic store

Linux

At time of install, can be set with EmailAddress via cfg.ini file
After Install if not set in cfg.ini: populated from /var/run/utmp in instances of a single logged-in user, else system hostname is used

Microsoft Windows

At time Install
- Set with EmailAddress via cfg.ini or USER_EMAIL via msi parameter
- Else get last logged on user from Registry
```
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnSAMUser
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser
```
- Else current interactive session using LookupAccountSidW

Feedback

thumb_up Yes

thumb_down No