logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Enable Verbose Debug Logging Remotely on Windows Sensor

EDR: Enable Verbose Debug Logging Remotely on Windows Sensor

Environment

  • EDR Sensor: All Versions
  • EDR Console: All Versions
  • Microsoft Windows: All Supported Versions

Objective

  • How to enable verbose user and kernel-mode logging remotely via CB Live Reponse.

Resolution

  1. Back up the registry prior to enabling logging
  2. Remotely enable verbose logging:
    • Establish a CB Live Response session with the endpoint
    • Enter the following two commands within CB Live Response:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7
reg add HKLM\Software\CarbonBlack\config -v KernelDebugLevel -t REG_DWORD -d 7
  • The registry setting will not take affect until the user-mode sensor service is restarted
execfg cmd.exe /K "sc control carbonblack 203"
  1. Reproduce the issue
  2. Collect logs: 
  1. Disable verbose logging in Live Response 
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
execfg cmd.exe /K "sc control carbonblack 203"
  2. Upload the diagnostics to the CB Vault

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
CB_Support
Creation Date:
‎11-21-2018
Views:
2259
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.