logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI

Carbon Black Cloud: How to Create a Live Memory Dump With RepCLI

Environment

  • Carbon Black Cloud Sensor: 3.5.0.1523 and higher
  • Microsoft Windows: All supported versions 

Objective

Use RepCLI to generate a live memory dump 

Resolution

  1. Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI authentication 
  2. For Windows 7 and 8.0 Machines, proceed to next steps.  For Windows 8.1 and higher (including Windows 10), enable kernel debug logging prior to next steps. 
  3. Launch a Command Prompt
  4. Run commands: 
    cd C:\Program Files\Confer
repcli unlock <uninstall-code>
repcli LiveMemDump
  5. The following results will print to the command line 
    DebugHandler::LiveMemDump: Successfully created live memory dump file: c:\Program Files\Confer\RepCLI_MemDump.dmp
Successfully set FileSecurity::DEFAULT_PRIVILEGE_LEVEL on the file
  6. RepCLI_MemDump.dmp can now be gathered with Sensor logs through the support console
  7. To manually access or later delete the RepCLI_MemDump.dmp file, the file permissions must be relaxed with the following command 
    RepCLI FileAccess Relaxed
  8. The following results will print to the command line 
    Successfully set file access for all 1 tracked files.
 Result List:
  File: c:\Program Files\Confer\RepCLI_MemDump.dmp -- Effective PrivilegeMask: USERS, ADMINS, SYSTEM
  9. If manually gathering the dump file, please compress prior to uploading to CBvault
  10. Disable Kernel debug logging on Windows 8.1 and higher to prevent performance and disk space issues

Additional Notes

  • The live memory dump will generate a full memory dump (depending on OS configuration) without crashing the system
  • For Windows 7 and 8.0, both kernel and user memory are included in the dump (that is considered a full memory dump)
  • For Windows 8.1 and higher (including Windows 10), live dumps require Kernel debugging to be enabled for a full memory dump (only kernel memory will be dumped unless debugging is enabled)
  • Memory dump size will vary when gathering a live dump
  • Windows 7 live memory dumps are typically larger than the total RAM
  • Windows 10 live memory dumps are typically smaller than total RAM
  • If the LiveMemDump command is run before a previous LiveMemDump command completes, the command will print a failure message to the command line

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎08-25-2020
Views:
4492
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.