Environment
- Carbon Black Cloud Sensor: 3.5.0.1523 and higher
- Microsoft Windows: All supported versions
Objective
Use RepCLI to generate a live memory dump
Resolution
- Log into the machine with a user account that matches the AD User or Group SID configured for RepCLI authentication
- For Windows 7 and 8.0 Machines, proceed to next steps. For Windows 8.1 and higher (including Windows 10), enable kernel debug logging prior to next steps.
- Launch a Command Prompt
- Run commands:
cd C:\Program Files\Confer
repcli unlock <uninstall-code>
repcli LiveMemDump
- The following results will print to the command line
DebugHandler::LiveMemDump: Successfully created live memory dump file: c:\Program Files\Confer\RepCLI_MemDump.dmp
Successfully set FileSecurity::DEFAULT_PRIVILEGE_LEVEL on the file
- RepCLI_MemDump.dmp can now be gathered with Sensor logs through the support console
- To manually access or later delete the RepCLI_MemDump.dmp file, the file permissions must be relaxed with the following command
RepCLI FileAccess Relaxed
- The following results will print to the command line
Successfully set file access for all 1 tracked files.
Result List:
File: c:\Program Files\Confer\RepCLI_MemDump.dmp -- Effective PrivilegeMask: USERS, ADMINS, SYSTEM
- If manually gathering the dump file, please compress prior to uploading to CBvault
- Disable Kernel debug logging on Windows 8.1 and higher to prevent performance and disk space issues
Additional Notes
- The live memory dump will generate a full memory dump (depending on OS configuration) without crashing the system
- For Windows 7 and 8.0, both kernel and user memory are included in the dump (that is considered a full memory dump)
- For Windows 8.1 and higher (including Windows 10), live dumps require Kernel debugging to be enabled for a full memory dump (only kernel memory will be dumped unless debugging is enabled)
- Memory dump size will vary when gathering a live dump
- Windows 7 live memory dumps are typically larger than the total RAM
- Windows 10 live memory dumps are typically smaller than total RAM
- If the LiveMemDump command is run before a previous LiveMemDump command completes, the command will print a failure message to the command line
Related Content