Troubleshoot Windows Agent

This topic helps you troubleshoot the Windows Host Shield.

Environments

Hosts

Sysdig Windows Agent lifecycle is managed by the Host Shield supervisor service.

The Host Shield supervisor automatically restarts the Agent process in light of unhealthy conditions. If the Agent process restarts frequently, a possible cause could be a runtime crash. In order to troubleshoot such crashes, Microsoft Windows supports generating process memory dumps. The steps to enable program specific crash dumps can be found in Collecting User-Mode Dumps.

Windows registry configuration for collecting agent crash dumps

Following configuration enables dumps for Sysdig Windows Agent with type Full dump. The dump file count is limited to 10.

Command Line

Please ensure the following commands are run as local administrator.

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\sysdig-agent.exe" /v DumpFolder /t REG_SZ /d "%PROGRAMFILES%\Sysdig\Shield\Dumps" /f

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\sysdig-agent.exe" /v DumpType /t REG_DWORD /d 2 /f

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\sysdig-agent.exe" /v DumpCount /t REG_DWORD /d 10 /f

Graphical UI

  1. Launch Windows Registry Editor regedit.exe as administrator.

  2. Navigate to the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps.

  3. Right click LocalDumps and select New > Key and rename the new key to sysdig-agent.exe.

  4. Right click sysdig-agent.exe key and select New > String Value and rename the new string value to DumpFolder.

  5. Double click the DumpFolder value and set the value to %PROGRAMFILES%\Sysdig\Shield\Dumps.

  6. Right click sysdig-agent.exe key and select New > DWORD (32-bit) Value and rename the new DWORD value to DumpType.

  7. Double click the DumpType value and set the value to 2.

  8. Right click sysdig-agent.exe key and select New > DWORD (32-bit) Value and rename the new DWORD value to DumpCount.

  9. Double click the DumpCount value and set the value to 10.

Please repeat the above process for secmgr.exe.

Dump Files

The generated dump file names are in the format of {sysdig-agent}.exe.{pid}.dmp.