cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
IMPORTANT: Currently some Knowledge Base content may be unavailable. We are working diligently to restore these articles and appreciate your patience.

EDR: Enable Verbose Logging remotely on Windows sensor

EDR: Enable Verbose Logging remotely on Windows sensor

Environment

  • EDR Sensor: 5.x and Higher (formerly CB Response)
  • EDR Console: 5.x and Higher
  • Microsoft Windows: All Supported Versions

Objective

  • How to enable verbose user and kernel-mode logging remotely via CB Live Reponse.

Resolution

  1. Back up the registry prior to enabling logging
  2. Remotely enable verbose logging:
    • Establish a CB Live Response session with the endpoint
    • Enter the following two commands within CB Live Response:
reg add HKLM\Software\CarbonBlack\config -v DebugLevel -t REG_DWORD -d 7
reg add HKLM\Software\CarbonBlack\config -v KernelDebugLevel -t REG_DWORD -d 7
  • The registry setting will not take affect until the user-mode sensor service is restarted
execfg cmd.exe /K "sc control carbonblack 203"
  1. Reproduce the issue
  2. Collect logs: 
  1. Disable verbose logging in Live Response
    • reg delete HKLM\Software\CarbonBlack\config /v DebugLevel /f
      reg delete HKLM\Software\CarbonBlack\config /v KernelDebugLevel /f
      execfg cmd.exe /K "sc control carbonblack 203"
  2. Upload the diagnostics to the CB Vault

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-21-2018
Views:
744