Does the EDR Sensor Collect Events from cb.exe?
search cancel

Does the EDR Sensor Collect Events from cb.exe?


Article ID: 373416


Updated On:


Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)


Does the sensors user process cb.exe also collect events for itself? 


  • Carbon Black EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions


The only events that are collected for the cb.exe user process are netconns and childprocs by default.

To collect all events from the cb.exe process:

  1. Open regedit
  2. Go to hklm/software/carbonblack/config
  3. Edit the CollectSensorOperations config (DWORD) and set it to 1
  4. Restart sensor services

Additional Information

  • There are no configurations settings in the console to set this.
  • Tracking of cb.exe process can create additional noise and potentially reduce retention.