Collect Process Monitor Logs (Windows)

Issue

User suspects that there are interoperability issues between the VMware Carbon Black Cloud sensor and another program installed on an endpoint.

Environment

VMware Carbon Black Cloud Sensor

VMware Carbon Black EDR Sensor

Microsoft Windows: All supported versions

Prerequisites:

If collecting a Procmon for the VMware Carbon Black Cloud sensor:

• RepCLI Authentication must be enabled. If RepCLI Authentication was not enabled during the initial sensor install then RepCLI Authentication can be enabled on existing sensor installations
• Create a folder where all logs will be saved. For the purposes of this document, this location will be referenced as c:\temp although the c:\temp file location can be replaced with whatever location you have specified for saving the log files.
• Ensure wpr.exe exists in C:\Windows\System32\
  
  NOTE: If C:\Windows\System32\wpr.exe does not exist, download Debugging Tools for Windows and at the "Select the features you want to download" install prompt deselect all other options except "Windows Performance Toolkit". WPR.exe will download to C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit by default. Once downloaded copy wpr.exe to C:\Windows\System32\ 

Resolution for a Procmon for Sensor Performance

1. Download the latest Process Monitor (Procmon) from sysinternals
   • https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2. Unzip and place Procmon in an easy to find location
3. Open Procmon and Press Ctrl+E to stop the capture
4. Go to Options > Profiling Events > Generate Thread Profiling every second
5. Go to Filter and uncheck the filtering "Process Name is System"
6. Start the capture (Ctrl+E) when ready to reproduce
7. After reproduction, stop the capture (Ctrl+E).
8. Save the file as .PML, then when prompted, select "All Events" and "OK".
9. Zip the PML file before sending to reduce the size

Source: Collect a Procmon for Sensor Performance

Resolution for a Low Altitude Procmon Capture 

VMware has provided a script that will capture the necessary data sets for investigating potential interoperability issues. Download the attached document, which contains the instructions for executing this process, as well as the corresponding files at the bottom of this article.

Resolution for a Boot-Logging Enabled Procmon Capture

1. Download and install Process Monitor ( Process Monitor - Windows Sysinternals)
2. Open ProcMon
3. Navigate to Options > Click Enable Boot Logging
4. From the resulting Dialog box, Select 'Generate profiling events'  'every 100 milliseconds'
5. Reboot the PC
6. Open ProcMon
7. Click yes on prompt "A log of boot-time activity was created by a previous instance of Process Monitor. Do you wish to save the collected data now?"
8. Save the file as type 'Procmon Log (*.PML) with the format of Devicename-bootlog (e.g:laptop1-bootlog)
9. Close Procmon once file has been saved.
   

Source: How to Collect Procmon Logs with Boot-logging Enabled

Additional Notes

• The WPR Trace cannot be collected at the same time as a Procmon Log.
• The repcli unlock <uninstall-code>command is not needed for deleting a policy, only for adding/updating a policy.
• Both Sensor Service (repmgr stack) and File Filter Driver (ctifile) stack info are required to troubleshoot sensor performance issues. The steps above will ensure that Sensor Service (repmgr stack) info is included in Procmon Logs, but LowAltProcmon will be needed to ensure that File Filter Driver (ctifile) stack information is included in the procmon capture.