Environment
- EDR Sensor: 6.x and Higher
- Microsoft Windows: All Supported Versions
Objective
To collect relevant logs on a Microsoft Window endpoint in order to troubleshoot most performance-related issues. Typical issues may include:
- General system performance issues
- High CPU/Memory of EDR process
- High CPU/Memory of third-party applications
Resolution
- Log onto the Windows endpoint exhibiting performance issues.
- If necessary, disable CB Tamper Protect: App Control: How to Disable/Enable the Carbon Black Tamper Protect Updater
- Enable verbose logging (optional): EDR: How to Enable Verbose Logging Locally on Windows Sensor
- Required:
- For performance with another application. EDR: How to collect a Procmon for Sensor Performance
- For Boot/Login performance issues: EDR: How to collect a Procmon for Boot/Login Sensor Performance
- For High CPU issues: EDR: Using Windows Performance Recorder
- For High Memory Issues: EDR: How to Create a Memory Dump during High Memory Usage Troubleshooting (Windows)
- Generate a Windows sensor report: EDR: How to Collect Windows Sensor Diagnostic Logs (6.2.2+)
- Disable verbose logging (if previously enabled)
- Upload all log files to CB Vault.
- Update your Carbon Black Technical Support case with further relevant information:
- Is the performance issue a reproducible scenario and if so, what steps, if any, are taken to reproduce it?
(For example, were any backups, updates, or large file transfers being performed?)
- How many endpoints are affected? What are their general system profiles and function?
- What other security applications/real-time scanners are installed?
- How long do the performance issues last?
- What actions, if any, return the system performance to normal?
- Is the endpoint connected to any network shares?
- Does this endpoint generate a large number of logs, binaries, or PDF reports?
Additional Notes
- Not all logs above may be required to troubleshoot every performance-related issue.
Related Content