How to collect a Procmon for Boot/Login Sensor Performance
search cancel

How to collect a Procmon for Boot/Login Sensor Performance

book

Article ID: 287955

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to collect a Procmon capture for performance issues related Boot or Login with the CB EDR sensor

Environment

  • Carbon Black EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. Download the latest Process Monitor (Procmon) from sysinternals
  2. Unzip and place Procmon in an easy to find location
  3. Open Procmon and Press Ctrl+E to stop the capture
  4. Go to Options > Enable Boot Logging > Generate Thread Profiling every second
  5. Go to Filter and uncheck the filtering "Process Name is System"
  6. Reboot the machine
  7. After the machine has come up, open Procmon immediately. Save what was captured
  8. Save the file as .PML
  9. Zip the PML file before sending, they compress well. 
  10. Upload the capture to the case

Additional Information

  • Sensor Diagnostics will need to be captured along with the Procmon capture
  • See this document for other performance issues
  • Do not put any additional filters in place
  • When reviewing the data, make sure to add the "Duration" Column and filter by "Duration more than 1" second to help narrow down where the issue may be
Powered by Wolken Software