Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Steps To Enable Complete/Full Dump For BSOD

Carbon Black Cloud: Steps To Enable Complete/Full Dump For BSOD

Environment

  • Carbon Black Cloud Sensor
  • Microsoft Windows: All Supported Versions

Objective

How to to enable a system to generate a complete memory dump upon BSOD, or when forcing the machine to crash manually.

Resolution

Copy the following text into notepad and save the file with a «.reg» extension.

Windows Registry Editor Version 5.00
;* Configures the system to save a complete memory dump upon bug check.
;* Note: You will also need to ensure that the page file on C: is larger than the amount of installed RAM.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
"AutoReboot"=dword:00000001
"CrashDumpEnabled"=dword:00000001
"Overwrite"=dword:00000001
"LogEvent"=dword:00000001
"EnableLogFile"=dword:00000001
"DumpLogLevel"=dword:00000001
"AlwaysKeepMemoryDump"=dword:00000001
;* Configures the system to manually crash by holding down the right Ctrl key and pressing the Scroll Lock key twice
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
"CrashOnCtrlScroll"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll"=dword:00000001

 

  1. Backup the Windows registry
  2. Import above .reg file by clicking on it twice and accepting when prompted for confirmation
  3. Navigate to the paths above in the registry to confirm the values were successfully imported
  4. Ensure the pagefile is larger than the amount of installed RAM, normally by at least 300 MB (System Properties → System → Change Settings → Advanced → Performance → Advanced → Virtual Memory/Change)
  5. Reboot the machine
  6. Full memory dump will be generated should the machine present a blue screen of death (BSOD)
  7. To force the BSOD upon system hang, while in the hung state, hold the «Control» Key, while holding it, press the «Scroll lock» button twice, a full memory dump should be generated in the %SystemRoot%\memory.dmp directory (typically c:\windows\memory.dmp)
  8. Collect the .dmp file, compress it as .zip and kindly upload into the case
  9. From the same machine, after rebooting, run an elevated command prompt (right click cmd.exe and run as admin) and run, after ensuring c:\temp exists before running the command:
"c:\program files\confer\repcli.exe" capture c:\temp
  1. Rename the resulting file (psc_sensor.zip) by prepending the hostname to it, from C:\TEMP\ and please also upload into the case
     

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-27-2018
Views:
3499
Contributors