Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How to Configure GPO to Create Sensor MSI Log

Carbon Black Cloud: How to Configure GPO to Create Sensor MSI Log

Environment

  • Carbon Black Cloud Sensor: All Windows Versions
  • Microsoft Windows: All Supported Versions
  • Group Policy Object (GPO) Editor

Objective

Provide steps to configure GPO to create Sensor MSI logs automatically

Resolution

Automatically create sensor .msi log files via Group Policy
Carbon Black recommends that you create a verbose .msi install log file to help troubleshoot Group Policy installation or upgrade issues.
 
  • To configure Group Policy to automatically create Windows Installer .msi log
  1. Open the Group Policy editor and expand Computer Configuration > Administrative Templates > Windows Components.
  2. Select Windows Installer and double-click Logging or Specify the types of events Windows Installer records in its transaction log depending on the windows version
  3. Select Enabled.
  4. In the Logging textbox, type voicewarmupx
  5. Select Save Changes.
NOTE: The msixxx.log file will be created in the Temp folder of the system volume C:\Windows\Temp\
NOTE: This setting will create an msi install log for all users in the GPO
 
  • To enable Windows Installer .msi log using the registry
  1. Go to registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer.
  2. Set registry value Logging to voicewarmupx
NOTE: If Group Policy is configured to automatically create a Windows Installer .msi log, this registry value voicewarmupx should match whatever is configured in Group Policy 

Additional Notes

  • Carbon Black recommends enabling this option to troubleshoot any GPO install, upgrade, or uninstall issues as this will create a verbose MSI install log file. The verbose options will provide us with more information for troubleshooting installation or upgrade issues.
  • The Application event log will contain msiinstaller events if the install is actually being attempted
  • If there are no msiinstaller events then check the system event log to see if there are any group policy events with error codes like %%1274

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-06-2018
Views:
3035
Contributors