logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Enable verbose logging locally on Windows sensor

EDR: Enable verbose logging locally on Windows sensor

Environment

  • EDR Sensor: Version 5.x and above (Formerly CB Response)
  • EDR Console: Version 5.x and above
  • Microsoft Windows: All Supported Versions

Objective

  • How to enable verbose user and kernel-mode logging locally via Command prompt.

Resolution

  1. Back up the registry prior to enabling logging
  2. Locally enable verbose logging:
    • Open a command prompt as administrator
    • Enter the following two commands: 
      • reg add HKLM\Software\CarbonBlack\config /v DebugLevel /t REG_DWORD /d 7
reg add HKLM\Software\CarbonBlack\config /v KernelDebugLevel /t REG_DWORD /d 7
    • The registry setting will not take affect until the user-mode sensor service is requested to update: 
      • sc control carbonblack 203
  3. Reproduce the issue
  4. Collect logs: 
  5. Disable debug logging from the command prompt 
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
sc control carbonblack 203
  6. Upload the diagnostics to the CB Vault

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-21-2018
Views:
3670
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.