Environment
- All Carbon Black Products
- Microsoft Windows: All Supported Versions
Objective
To configure a Windows endpoint to generate Windows crash / memory dump reports using the keyboard.
Resolution
- Open Run or Command Prompt
- Type SystemPropertiesAdvanced and press ENTER.
- Under Startup and Recovery section, click Settings
- Under System Failure > Write debugging information select Complete memory dump
- Check Overwrite any existing file and make any desired changes to the "Dump file:" location
- Click OK to save the settings and exit the Startup and Recovery window
- Click OK to save and exit the System Properties window
- Follow the procedure in this Microsoft article to enable keyboard crashing:
Additional Notes
- The default location for the resulting crash dump file is C:\Windows\Memory.dmp
- Resulting memory dumps can be provided to Carbon Black using CB Vault.
- This process is useful in situations where the endpoint is unresponsive (ie, "hung")
- Some keyboards (such as on some laptop models) may not have a SCROLL LOCK button. If this is the case, it's recommended to plug in an external keyboard that has that key and trigger the crash dump that way.
- Alternatively, if an external keyboard is not available, the hex values in the reg files can be modified to represent other available keys.
Related Content
