Environment

• Carbon Black EDR (Formerly CB Response) Sensor: All Versions
• Microsoft Windows: All Supported Versions

Objective

Resolution

1. Download the latest Process Monitor (Procmon) from sysinternals
   • https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2. Unzip and place Procmon in an easy to find location
3. Open Procmon and Press Ctrl+E to stop the capture
4. Go to Options > Enable Boot Logging > Generate Thread Profiling every second
5. Go to Filter and uncheck the filtering "Process Name is System"
6. Reboot the machine
7. After the machine has come up, open Procmon immediately. You will be asked to save what was captured
8. Save the file as .PML
9. Zip the PML file before sending, they compress well. 
10. Upload the capture to CBVault

Additional Notes

• Sensor Diagnostics will need to be captured along with the Procmon capture (See Related Content)
• For other performance issues (See Related Content)
• Do not put any additional filters in place

Related Content

• CB Response: How to Collect Sensor Diagnostic Logs (6.2.2+) 
• CB Response: How to Collect Windows Sensor Diagnostic Logs (6.2.1 and below)
• CB Response: How to Enable Verbose Logging Locally on Windows Sensor
• CB Response: How to collect a Procmon for Sensor Performance
• CB Response: Using Windows Performance Recorder
• CB Response: How to Run Procmon at Low Altitude for Sensor Capture
• CB Response: Slow Boot Times on Windows 10
• CB Response: Windows Sensor Slow to Boot