Skip to main content

Troubleshooting the Windows Sensor

Cyberhaven can troubleshoot many issues successfully without requiring additional logs from devices. However, in the event Cyberhaven needs to collect additional information in order to troubleshoot a sensor issue such as a device that cannot communicate with the backend, it may be necessary to generate a diagnostic package that can be shared with and triaged by Cyberhaven support.

Stopping, Starting, or Uninstalling

To stop the Windows Cyberhaven sensor, run the following command with administrator rights:

net stop cyberhaven

To start the Windows Cyberhaven sensor, run the following command with administrator rights:

net start cyberhaven

To uninstall the Windows Cyberhaven sensor, run the following command with administrator rights:

msiexec.exe /X cyberhaven.msi

To uninstall the Windows Cyberhaven sensor when Uninstall Protection is enabled, run the following command with administrator rights:

msiexec.exe /X cyberhaven.msi /quiet UNINSTALL_PASSWORD="1234"

Learn more about uninstalling the sensor: Uninstall Windows Sensor.

Diagnostics

Cyberhaven provides multiple methods to generate diagnostic bundles for troubleshooting sensor issues.

Method 1: Remote Diagnostics via Endpoint Sensors Page (Recommended)

Available since version 25.05 - This is the preferred method as it requires no direct endpoint access.

  1. Navigate to the Endpoint Sensors page in the Cyberhaven Console.
  2. Locate the target endpoint you want to troubleshoot.
  3. Click on the Actions menu for the specific endpoint.
  4. Select Diagnostics request from the dropdown menu.
  5. Choose bundle type:
    • Logs: Includes Cyberhaven-specific sensor logs.
    • Sysdiag (macOS only): Includes the full system diagnostic report (sysdiag) in addition to Cyberhaven logs.
  6. Submit the request - The Console sends a request to Cyberhaven's backend
  7. Wait for completion - The CyberhavenAutoUpdater process on the endpoint detects this task and uploads the diagnostic bundle automatically.

What happens in the background

  • Cyberhaven creates a pending diagnostics task for the endpoint in the backend.
  • The CyberhavenAutoUpdater process periodically checks for these tasks.
  • When detected, it collects the necessary logs and uploads them automatically.
  • The request status updates to "Successfully uploaded a logs diagnostics bundle".

Method 2: Manual Local Generation (Fallback)

Use this method when the remote diagnostics feature fails or is unavailable.

  1. Go to C:\Program Files\Cyberhaven. Open the directory with the latest agent version, for example, 25.09.01.7908-f73225+.
  2. Locate cyberhaven-logs.bat, right-click on the file, and run as administrator. A console window displays a detailed description of the information being collected by the script.
  3. A new directory will be created in the folder path, C:\ProgramData\CyberhavenDiags\.
  4. Compress the resulting directory and provide the file to Cyberhaven when requested.
  5. You may upload data to us via a web-based form, which is accessible by logging into the Cyberhaven Console.
  6. You can safely remove the compressed file after submitting it via the portal.
  7. If you are running into issues running cyberhaven-logs.bat due to running the net share command, you can instead download this version and use it instead of the version bundled with the Cyberhaven sensor.

What is recorded?

The diagnosis bundle is self-explanatory in what it records. It does not collect additional sensitive information on top of what is sent to the Cyberhaven dashboard during normal sensor operation.

  • Cyberhaven logs, along with locally stored policies and local dataset information. Crash dumps of Cyberhaven processes may also be included.
  • EventViewerLogs: system-wide windows event logs, i.e., those that are visible through EventVwr.exe (Application, System, Security, HardwareEvent)
  • The output of the systeminfo command, list of active sessions, list of minifilter drivers, list of hardware disk and logical volumes, list of network shares, list of running services, list of event trace sessions (ETW).
  • AutoupdaterTaskInfo: status of the Cyberhaven task that runs our auto-updater periodically.

Sensor Logs

Cyberhaven log files for Windows are located in the following directory:

%PROGRAMDATA%\Cyberhaven

Performance Debugging

Cyberhaven offers tools to debug performance issues on Windows endpoints. It is meant to be run by Cyberhaven end users directly while reproducing the performance issue. Start running the tool, reproduce the performance problem, and then submit the trace file to Cyberhaven for analysis.

There are two options available:

  1. Using Microsoft-provided tools. Use this option if you do not want to use the executables packaged by Cyberhaven and can install software on the machine.
  2. Without installation which uses our trace bundle (script + executables in archive). This is the recommended option since it does not require any installation.

Using Windows SDK

  1. Install Windows SDK (the only option required is Windows Performance Toolkit).
  2. Run Windows Performance Recorder with the only option: CPU usage

Using Cyberhaven Trace bundle

  1. Download and unzip the Cyberhaven Traces archive.
  2. Open the extracted Cyberhaven Traces folder.
  3. Run trace.bat file as Administrator.
  4. Follow the instructions from the console.
  5. Zip the trace.etl file created in the Cyberhaven Traces folder.
  6. Upload the zipped trace filetrace.etl is at most 1GB and it typically is zipped into a ~150MB archive. The form is accessible by logging into the Cyberhaven Console.

Information collected during performance profiling

There should not be sensitive information in the profiling trace. The performance tracing script is self-explanatory in terms of what it collects: a kernel profile, mostly consisting in kernel and application stack traces and timing information. Memory dumps are not collected.

Handle installer rollback issues

The following PowerShell script can perform an uninstall in case msiexec gets into a state where rollback does not work and Cyberhaven cannot be uninstalled or auto-upgraded. You may be instructed to use this script by the Cyberhaven support team in the rare case in which msiexec runs into installer rollback issues.

Write-Output "Disabling rollback"
$registryPath = "HKLM:\\Software\\Policies\\Microsoft\\Windows\\Installer"

New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name DisableRollback -Value 1 -PropertyType DWORD -Force | Out-Null

Write-Output "Looking up Cyberhaven product GUID"
$obj = Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "Cyberhaven Windows Sensor"}
Write-Output "Product GUID: $($obj.IdentifyingNumber)"

Write-Output "Uninstalling Cyberhaven"
Start-Process msiexec.exe -Wait -ArgumentList "/quiet /x $($obj.IdentifyingNumber)"

Write-Output "Reverting rollback settings"
Remove-ItemProperty -Path $registryPath -Name DisableRollback