Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Steps To Enable Full Dump For BSOD

Carbon Black Cloud: Steps To Enable Full Dump For BSOD

Environment

  • Carbon Black Cloud Sensor
  • Microsoft Windows: All Supported Versions

Objective

How To Enable Full Memory Dump

Resolution

* Full Memory Dump Instructions *

Copy the following text into notepad and save the file with a «.reg» extension.

Windows Registry Editor Version 5.00
;* Configures the system to save a complete memory dump upon bug check.
;* Note: You will also need to ensure that the page file on C: is larger than the amount of installed RAM.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AutoReboot"=dword:00000001
"CrashDumpEnabled"=dword:00000001
"Overwrite"=dword:00000001
"LogEvent"=dword:00000001
"EnableLogFile"=dword:00000001
"DumpLogLevel"=dword:00000001
"AlwaysKeepMemoryDump"=dword:00000001
;* Configures the system to manually crash by holding down the right Ctrl key and pressing the Scroll Lock key twice
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
"CrashOnCtrlScroll"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll"=dword:00000001

 

  1. Backup the Windows registry
  2. Import above .reg file by clicking on it twice and accepting when prompted for confirmation
  3. Navigate to the paths above in the registry to confirm the values were successfully imported
  4. Ensure the pagefile is larger than the amount of installed RAM, normally by at least 300 MG (System Properties → System → Change Settings → Advanced → Performance → Advanced → Virtual Memory/Change)
  5. Reboot the machine
  6. Full memory dump will be generated should the machine present a blue screen of death (BSOD)
  7. To force the BSOD upon system hang, while in the hung state, hold the «Control» Key, while holding it, press the «Scroll lock» button twice, a full memory dump should be generated in the %SystemRoot%\memory.dmp directory (typically c:\windows\memory.dmp)
  8. Collect the .dmp file, compress it as .zip and kindly upload into the case
  9. From the same machine, after rebooting, run an elevated command prompt (right click cmd.exe and run as admin) and run:
sc control cbdefense 128

or

"c:\program files\confer\repcli.exe" capture
Rename the resulting file (psc_sensor.zip) by prepending the hostname to it, from C:\WINDOWS\TEMP\cb-temp\ and please also upload into the case

 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
2376
Contributors