EDR: How to Collect Windows Sensor Diagnostic Logs With Tamper Protection enabled (7.2.0+)
search cancel

EDR: How to Collect Windows Sensor Diagnostic Logs With Tamper Protection enabled (7.2.0+)

book

Article ID: 292036

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to collect diagnostics using the sensordiags.exe tool for sensors in a sensor group with Tamper Protection enabled.

Environment

  • EDR Sensors: 7.2.0 and Higher
  • Microsoft Windows: All Supported Versions
  • Microsoft .NET 4.5 and Higher

Resolution

There are two methods to do this:
  1. Via CB Live Response:
    1. Establish a CB Live Response session and enter (replace <username> with your username):
    2. execfg cmd.exe /c sensordiag -type CDE -output c:\users\<username>\desktop\
    3. Collect the zip file from c:\users\<username>\desktop.
  2. Locally on the endpoint:
    1. Open an elevated command prompt.
    2. Copy sensordiag.exe to a writable and executable path (replace <username> with your username):
    3. copy c:\windows\carbonblack\sensordiag.exe c:\users\<username>\desktop\
    4. Execute sensordiag.exe:
    5. c:\users\<username>\desktop\sensordiag.exe -type CDE -output c:\users\<username>\desktop\
    6. Collect the zip file from c:\users\<username>\desktop.
Powered by Wolken Software