Environment
- Carbon Black Cloud: All Supported Versions
- Microsoft Windows: All Supported Versions
Question
To collect a procdump to aid in troubleshooting performance cases
Answer
- Download ProcDump tool via https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
- Open admin CMD prompt.
- Run command:
cd c:\program files\confer
repcli bypass 1
sc qprotection cbdefense --Result will show either ANTIMALWARE LIGHT or None
repcli registerProtectedSvcs 0 --This can be skipped if result of previous command is "none"
repcli unlock <uninstall-code>
repcli deletepolicy 1DED7E47-CE4C-448E-AD01-6F4AC3CE7F5D
repcli stopCbServices
sc start cbdefense
repcli bypass 0
- Change directory to where procdump was saved
- Use TaskManager to identify the Process ID (PID) for the process causing the CPU spike (Task Manager > More Details > Details tab)
- In the Command Prompt, execute the following command: "procdump.exe -ma -s 5 -n 5 [PID]" with the value for the application's PID in the field marked without the square brackets.
- This command will capture a user dump sample of the spiking process every 5 seconds 5 times.
- Please allow the process to remain running for these 25 seconds at least to allow this to complete.
- The logs will be generated in the same directory as procdump.exe is executed from
- Run commands:
cd c:\program files\confer
repcli bypass 1
repcli registerProtectedSvcs 1 -- Unnecessary if was skipped in step 3
repcli restorepolicy
repcli stopCbServices
if using a sensor version prior to 3.6.0.1897, edit cfg.ini and remove "UnregisterProtected=True"
sc start cbdefense
repcli bypass 0
- Please zip all files and upload them to the CB Vault here - https://community.carbonblack.com/groups/cb-vault
- Once the upload completes, please comment on the support case that the data is available for review
Related Content
