Environment

• EDR Sensor: All Versions
• Microsoft Windows: All Supported Versions

Objective

Resolution

1. Set the system to full memory dump collection All Products: How to Setup a Windows Machine for Full Memory Dump
2. High Memory but Download Notmyfault from Microsoft Sysinternal Tools and extract to a local folder
   • If the system is freezing due to high memory consumption, please follow Creating a Windows Crashdump Via Keyboard
3. Capture the following information during high memory consumption
   • Process Memory Dump
     1. Open task manager
     2. Find cb.exe under the process tab
     3. Right click cb.exe and select Create dump file 
   • Full system memory dump (Note: This will force create a BSOD that creates a memory dump)
     1. Open cmd
     2. At the command line, type NotMyFault64.exe /crash then press enter
     3. Note: for x86 systems, use NotMyFault.exe
4. Zip the C:\Windows\MEMORY.dmp file
5. Collect the sensor diagnostics
   • 6.2.2 and higher: EDR: How to Collect Windows Sensor Diagnostic Logs (6.2.2+)
   • 6.2.1 and below: EDR: How to Collect Windows Sensor Diagnostics Logs (6.2.1 and below)
6. Upload the Compressed Memory dump and Sensor Diags to support

Additional Notes

• It's important to collect these during the high points of memory consumption in order to get an accurate reading of the root case
• Full memory dump is required to get root cause, a minidump will only provide a small amount of info that may not result in getting resolution

Related Content