Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Enable Kernel Driver Logging on Startup for Windows

App Control: How to Enable Kernel Driver Logging on Startup for Windows

Environment

  • App Control Agent (formerly CB Protection): All Supported Versions
  • Microsoft Windows: All Supported Versions

Objective

Steps to enable the kernel driver logging on startup

Resolution

 
  1. Open a command prompt as Administrator
  2. Change directory to C:\Program Files (x86)\Bit9\Parity Agent (or the location where App Control is installed)
  3. Turn off the tamper protect by doing the following commands in order 
    dascli password <Either the CLI or global password can be entered here without the brackets>
    dascli tamperprotect 0
    net stop parity (this requires admin rights)
    fltmc unload paritydriver
  4. Edit the registry
    • Add or Update the FlagsEx reg value
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\paritydriver\Parameters]
FlagsEx REG_DWORD 0x80000000
  • Under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\] create a new key called ParityDriver and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver]

BufferSize REG_DWORD 0x10000

ClockType REG_DWORD 0x00002

FileName REG_SZ C:\Temp\Autolog.etl

LogFileMode REG_DWORD 0x4

GUID REG_SZ {5CBD99EC-AFCE-4FA0-A9ED-0E8C5F7F32FD}

Start REG_DWORD 0x00000001

Status REG_DWORD 0x00000000
  • Under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver] create a new key called {15565A80-7AAB-4752-A686-0F14408092C7} and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}]

Enabled REG_DWORD 0x00000001

EnableFlags REG_DWORD 0x07ffffff

EnableLevel REG_DWORD 0x00000004

Status REG_DWORD 0x00000000
This key matches the App Control application GUID and it is critical that it matches the provided value
  1. Reboot the machine and verify that the C:\Temp\Autolog.etl file has been created
  2. Open regedit and check that the Status value under ParityDriver is 0 and that the Enabled value under ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}] is 1
  3. When done with reproducing the issue and collecting the ETL file log, make sure to remove the "flagsex" and ParityDriver key  on Autologger from the registry to avoid continuous logging that can take up disk space
  4. Do another reboot to terminate the logging
  5. Verify that the C:\Temp\Autolog.etl has a non-zero size and provide it along with the captured diagnostic file

Additional Notes

Note: For Enabling Agent 'Service' Trace Logging from Startup, please reference the following Kb https://community.carbonblack.com/t5/Knowledge-Base/App-Control-How-to-Enable-Agent-Service-Trace-Lo...

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-01-2020
Views:
838
Contributors