EDR: How to Create a Memory Dump during High Memory Usage Troubleshooting (Windows)
Article ID: 291621
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to collect a memory dump to aid in troubleshooting high memory issues caused by the sensor
Environment
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Resolution
- Set the system to full memory dump collection All Products: How to Setup a Windows Machine for Full Memory Dump
- High Memory but Download Notmyfault from Microsoft Sysinternal Tools and extract to a local folder
- If the system is freezing due to high memory consumption, please follow Creating a Windows Crashdump Via Keyboard
- Capture the following information during high memory consumption
- Process Memory Dump
- Open task manager
- Find cb.exe under the process tab
- Right click cb.exe and select Create dump file
- Full system memory dump (Note: This will force create a BSOD that creates a memory dump)
- Open cmd
- At the command line, type NotMyFault64.exe /crash then press enter
- Note: for x86 systems, use NotMyFault.exe
- Process Memory Dump
- Zip the C:\Windows\MEMORY.dmp file
- Collect the sensor diagnostics
- 6.2.2 and higher: https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Collect-Windows-Sensor-Diagnostic-Logs-6-2-2/ta-p/93494
- 6.2.1 and below: https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Collect-Windows-Sensor-Diagnostics-Logs-6-2-1-and/ta-p/67648
- Upload the Compressed Memory dump and Sensor Diags to support
Additional Information
- It's important to collect these during the high points of memory consumption in order to get an accurate reading of the root case
- Full memory dump is required to get root cause, a minidump will only provide a small amount of info that may not result in getting resolution
Feedback
Yes
No
Powered by
