KB Article | Forcepoint Support

Notes & Warnings

If it is preferable to decouple the application binaries completely from being monitored by the Endpoint, please refer to the Advanced Tab documentation for instructions.

Take care to roll back registry changes after the memory dump is collected.

The information in this article recommends editing the registry. Before proceeding, back up the registry, and be sure you understand how to restore the registry if a problem occurs. Refer to the Microsoft Knowledge Base  for information on backing up, restoring, and editing the registry.
 
Forcepoint provides information on how to edit the Windows registry as a convenience to its customers, but does not support Windows in any way and will not be responsible for any problems that may arise from such editing.
 
WARNING: Using Registry Editor incorrectly may cause serious problems that could require you to reinstall the operating system. Use Registry Editor at your own risk.

Problem Description

The Forcepoint Endpoint Client can encounter driver conflicts with other client-side applications. Issues such as application crashes, hanging, or overall system performance issues may be experienced. In these situations, it is helpful to collect a full memory dump by initiating a BSoD (Blue Screen of Death) on the client machine.
 
A common log entry pertaining to driver errors is the following within DebugDump.txt:

[DataSecurityEngine]: fail to create QIP

 
The resulting memory dump can be provided to Engineering for review.
 

Resolution

Option 1 - NotMyFaultTool

If you can access the machine to reproduce the issue on-demand, you can use the Microsoft SysInternals NotMyFault tool to take kernel or complete crash dumps. To do this, follow these steps:

  1. Download the NotMyFault tool from the Microsoft Sysinternals website:
  2. Click Start, locate and right-click Command Prompt, and then click Run as administrator.
  3. Reproduce the issue.
  4. At the command line, type NotMyFault.exe /crash, and then press ENTER.

Note This will generate a memory dump file and a "Stop D1" error.

 

Option 2 - Registry Modification

The following will take a "Full User-Mode Dump" which usually contains more information.

Follow the steps below in order to capture a crash dump on the user's machine:

  1. Open the Windows Registry Editor and go to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
    • Create a LocalDumps Key (folder) if not already present
  2. Inside the LocalDumps key, create the following:
    • Expandable String Value named "DumpFolder" with value %LOCALAPPDATA%\CrashDumps
    • DWORD named "DumpCount" with decimal value 10
    • DWORD named "DumpType" with decimal value 2
  3. Have the end user work as normal until the issue occurs (which would indicate that a crash occurred).
  4. Immediately collect the crash dump in C:\Users\<user_name>\AppData\Local\CrashDumps

Option 3 - CrashDumpEnabled

See the Microsoft CrashDumpEnabled article on enabling the option to create a full memory dump.

Performing a BSoD on Demand:
"Forcing a System Crash from the Keyboard"

  1. Enable a crash dump file:
    1. Navigate to the Control Panel
    2. Double click on the System icon.
    3. Click on the Advanced tab.
    4. Click the Settings button in the "Startup and Recovery" section
    5. In the "Write Debugging Information" section, select Complete Memory Dump
    6. Deselect the "Automatically Reboot" option
  2. Depending on whether the machine uses a PS/2 or USB keyboard, create the "CrashOnCtrlScroll" DWORD value of 0x00000001 under either:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters] (PS/2)
    or
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters] (USB)
  • Reproduce the issue
  • Wait long enough to ensure that the machine is in the midst of the problem, then force Windows to crash and write a kernel-mode memory dump by holding down the right CTRL key and pressing the SCROLL LOCK key two times.  
     
    For example, if the machine is "hung" or "frozen," wait 120 seconds or so before forcing the dump. Or, if you're experiencing an unexpected 15 second delay, perhaps wait until you're at least 5 seconds into the delay before forcing the dump. 
  • Once complete, ZIP the dump file before moving it off the machine to ensure that the dump file is transferred intact. 
  • Please supply the crash dump file and the zip file created by running ClientInfo.exe to Forcepoint Technical Support

For additional information and options, please refer to the following Microsoft article:
Generate a kernel or complete crash dump




Keywords: DLP Data Security Endpoint; Forcepoint One Endpoint; Memory Dump; Crash Dump; Application Compatibility Issue; Outlook Crash; Blue Screen of Death; Driver Issue; Antivirus; Monitoring Software; System Instability

Article Feedback



Thank you for the feedback and comments.