Environment
- App Control Agent (formerly CB Protection): All Supported Versions
- Microsoft Windows: All Supported Versions
Objective
Steps to enable the kernel driver logging on startup
Resolution
- Open a command prompt as Administrator
- Change directory to C:\Program Files (x86)\Bit9\Parity Agent (or the location where App Control is installed)
- Turn off the tamper protect by doing the following commands in order
dascli password <Either the CLI or global password can be entered here without the brackets>
dascli tamperprotect 0
net stop parity (this requires admin rights)
fltmc unload paritydriver
- Edit the registry
- Add or Update the FlagsEx reg value
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\paritydriver\Parameters]
FlagsEx REG_DWORD 0x80000000
- Under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\] create a new key called ParityDriver and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver]
BufferSize REG_DWORD 0x10000
ClockType REG_DWORD 0x00002
FileName REG_SZ C:\Temp\Autolog.etl
LogFileMode REG_DWORD 0x4
GUID REG_SZ {5CBD99EC-AFCE-4FA0-A9ED-0E8C5F7F32FD}
Start REG_DWORD 0x00000001
Status REG_DWORD 0x00000000
- Under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver] create a new key called {15565A80-7AAB-4752-A686-0F14408092C7} and add the following values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}]
Enabled REG_DWORD 0x00000001
EnableFlags REG_DWORD 0x07ffffff
EnableLevel REG_DWORD 0x00000004
Status REG_DWORD 0x00000000
This key matches the App Control application GUID and it is critical that it matches the provided value
- Reboot the machine and verify that the C:\Temp\Autolog.etl file has been created
- Open regedit and check that the Status value under ParityDriver is 0 and that the Enabled value under ParityDriver\{15565A80-7AAB-4752-A686-0F14408092C7}] is 1
- When done with reproducing the issue and collecting the ETL file log, make sure to remove the "flagsex" and ParityDriver key on Autologger from the registry to avoid continuous logging that can take up disk space
- Do another reboot to terminate the logging
- Verify that the C:\Temp\Autolog.etl has a non-zero size and provide it along with the captured diagnostic file
Additional Notes
Related Content