logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Steps To Enable Complete/Full Dump For BSOD

Carbon Black Cloud: Steps To Enable Complete/Full Dump For BSOD

Environment

  • Carbon Black Cloud Sensor
  • Microsoft Windows: All Supported Versions

Objective

How to to enable a system to generate a complete memory dump upon BSOD, or when forcing the machine to crash manually.

Resolution

Copy the following text into notepad and save the file with a «.reg» extension.

Windows Registry Editor Version 5.00
;* Configures the system to save a complete memory dump upon bug check.
;* Note: You will also need to ensure that the page file on C: is larger than the amount of installed RAM.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AutoReboot"=dword:00000001
"CrashDumpEnabled"=dword:00000001
"Overwrite"=dword:00000001
"LogEvent"=dword:00000001
"EnableLogFile"=dword:00000001
"DumpLogLevel"=dword:00000001
"AlwaysKeepMemoryDump"=dword:00000001
;* Configures the system to manually crash by holding down the right Ctrl key and pressing the Scroll Lock key twice
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
"CrashOnCtrlScroll"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll"=dword:00000001

 

  1. Backup the Windows registry
  2. Import above .reg file by clicking on it twice and accepting when prompted for confirmation
  3. Navigate to the paths above in the registry to confirm the values were successfully imported
  4. Ensure the pagefile is larger than the amount of installed RAM, normally by at least 300 MB (System Properties → System → Change Settings → Advanced → Performance → Advanced → Virtual Memory/Change)
  5. Reboot the machine
  6. Full memory dump will be generated should the machine present a blue screen of death (BSOD)
  7. To force the BSOD upon system hang, while in the hung state, hold the «Control» Key, while holding it, press the «Scroll lock» button twice, a full memory dump should be generated in the %SystemRoot%\memory.dmp directory (typically c:\windows\memory.dmp)
  8. Collect the .dmp file, compress it as .zip and kindly upload into the case
  9. From the same machine, after rebooting, run an elevated command prompt (right click cmd.exe and run as admin) and run, after ensuring c:\temp exists before running the command:
"c:\program files\confer\repcli.exe" capture c:\temp
  1. Rename the resulting file (psc_sensor.zip) by prepending the hostname to it, from C:\TEMP\ and please also upload into the case
     

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎11-27-2018
Views:
3621
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.