Minimum data collection to troubleshoot Application and Change Control

Technical Articles ID: KB90755
Last Modified: 2023-09-15 12:56:00 Etc/GMT

Environment

Application and Change Control (ACC) 8.x
Minimum Escalation Requirements (MER)

Summary

This article provides basic information about the Minimum Data Collection steps for troubleshooting common ACC issues. You must collect all logs from the same system that experiences the issue, and collect all logs at the same time. Logging data time stamps are used to troubleshoot the problem.

IMPORTANT: Mismatched logs from different systems or logs collected at different times can't be used for troubleshooting. If the logs are mismatched, you might need to recollect all Minimum Data Collection logs.

NOTE: Make sure that you answer the questions in the "Questions for Troubleshooting" section below. This information determines where to begin your troubleshooting.

Tools

Procmon monitors and displays all file system activity on a Microsoft Windows operating system in real time. It's used in system administration, computer forensics, and application debugging.
Procdump is a command-line utility used to monitor an application for CPU spikes. It generates crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
Perfmon is a tool that administrators can use to examine how programs, running on their computers, affect the computer's performance. The tool is used in real time to analyze how system performance is affected by running programs. You can also use this tool to collect log file information for system performance data analysis later.
MER collects event logs, file version details, files, process details, and registry details from our products installed on your computer. Data collected is analyzed and used by Technical Support to resolve problems.
GFlags allows you to enable and disable advanced internal system diagnostic and troubleshooting features. You can run GFlags from a Command Prompt window or use its graphical user interface dialog box. It's most often used to turn on indicators that other tools track, count, and log.
WinDbg is a debugger for the Microsoft Windows operating system, distributed by Microsoft. It can be used to debug user mode applications, device drivers, and the operating system itself in kernel mode. It has a graphical user interface and is more powerful than Visual Studio Debugger.
PoolMon displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools, and memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag. Microsoft Technical Support uses that information to find kernel mode memory leaks.
VMware converter is a free utility from VMware that helps convert Windows and Linux-based physical systems to VMware virtual machines. You can also use it to convert third-party image formats such as backup images and other virtual machines to VMware virtual machines. Use this tool to create virtual machines to provide to Technical Support for troubleshooting.

Questions for Troubleshooting

When creating a Service Request, make sure that you answer the following questions:

What's the operating system?
What's the Solidcore version?
If any other Trellix software is installed?
What's the system used for (file server, workstation, domain controller)?
What's the issue?
What troubleshooting has been done?

Questions for client-related issues:

Does the behavior change in any other mode (update, enabled, observe, disabled)?
Does the behavior change with MP disabled?
Does the behavior change with Execution control disabled?

Questions for extension-related issues:

What's the version of ePO?
What's the Current Solidcore Extension version?
If extension is upgraded, what's the upgrade path of the extension?
What's the error message on the screen vs. the Orion log?
Provide any screenshots showing the issue.

Solidcore Extension Backup Checklist

Before you reinstall, you must back up the following before you remove the extension. See KB74420 - Client tasks rerun after checking in an extension or product package that updates existing versions.

Full SQL Backup and Disaster Recovery: Use the Knowledge Base to search for "backup/recovery for ePO" if you have a cluster or "AWS" because there's a separate KB article for each.
Solidcore Rules
Solidcore Policy
Solidcore Policy Assignments
Solidcore Client Tasks
Solidcore Client Task Assignments
Custom Solidcore Dashboards
Custom Solidcore Queries
Custom Solidcore Automatic Responses
Custom Solidcore Permission sets
Screenshot of any custom Solidcore Settings
Export table for Certificates (we're unable to export the Certificates; you must have them again)
Export table for Installer hashes (you must reinsert the hashes and the certs into the installers)
Server tasks

For answers to questions on backing up tasks and policies, see the ePO 5.10 Product Guide.

Client Troubleshooting

Perform the steps in this section if the symptoms are related to ACC Installation or Product Functionality issues (for example, ACC not switching from Disable mode):

Verify that all required root certificates are installed. For details, see the related articles below:

KB92937 - Secondary root certificate for TLS might need to be updated
KB91697 - How to update your root certificate authorities for McAfee product installation and upgrade success
KB87096 - Product install or upgrade issues due to missing root certificates
KB96360 - Unable to upgrade Application Control 8.3.x or other Trellix products that are ACC-enabled

Perform the steps in this section if the symptoms are Slow Boot, Startup, or Logon.

Download Procmon.
Run Procmon with boot logging.
Reproduce the issue.
Collect the MER, Gatherinfo, and Procmon files (*.PML).

Perform the steps in this section if the symptoms are Slow Application Startup, or Performance.

Download Procmon.
Run Procmon as Administrator.
Reproduce the issue.
Collect the MER, Gatherinfo, and Procmon files (*.PML).
Collect the following for the application:
- Process name of application being started
- Version of application
- Whether the application is homegrown or made by another company
- Copy of the application or a link to where to get a trial version

Perform the steps in this section if the symptom is Slow System Performance.

Take a screenshot of the Task Manager showing High resource use with process names.
Note how often the slow performance happens (every 5 minutes, 60 minutes, overall).
Collect Windows Performance Monitor over time of slowness (5 minutes unless longer is needed).
Collect the MER, Gatherinfo, and Windows Perfmon files.

Perform the steps in this section if the symptoms are Application hang, deadlock, or crash.

NOTE: If SCSRVC is crashing, you need to disable Execution control on the system before you attach the debugger. Then, enable it back after procdump is waiting on crash.

To disable execution control, run "sadmin features disable execution-control"
To enable execution control, run "sadmin features enable execution-control"

Download ProcDump.
Extract ProcDump to the Desktop.
Open an administrative command prompt, and change the directory to C:\Users\username\Desktop\Procdump
Run the following command: procdump -ma <process name/process ID>
Collect the dump file created. It's located in the Procdump folder.
Collect the MER and Gatherinfo files.

Data collection steps for an application crash:

Download ProcDump.
Extract ProcDump to the Desktop.
Open an administrative command prompt, and change the directory to C:\Users\username\Desktop\Procdump
Run the following command: procdump -ma -e <process name/process ID>

NOTE: The -e switch instructs Procdump to generate a dump the next time the process crashes.
Wait for the process to crash again.
Collect the created dump file, which is located in the Procdump folder.
Collect the MER and Gatherinfo files.

Perform the steps in this section if the symptoms are System hang, deadlock, or Bug Check (blue screen).

Configure the system to create a complete memory.dmp. For details, see KB56023 - How to create a memory dump for analysis by Technical Support.
Configure the system to allow for a keyboard crash. See the Forcing a System Crash from the Keyboard Microsoft article.
Create the dump file when the issue occurs. Generally, the longer you can wait before generating the dump file, the easier it is to identify the hang condition in the dump.
Collect the MER and Gatherinfo files.
Collect FLTMC.

Data collection steps for a system Bug Check:

Configure the system to create a complete memory.dmp. For details, see KB56023 - How to create a memory dump for analysis by Technical Support.
Collect the full dump file when the system Bug Check (blue screen) occurs (the dump file is in c:\windows).
Collect the MER and Gatherinfo files.
Collect FLTMC.

Perform the steps in this section if the symptom is a Memory Leak.

Data Collection for a Memory Leak using PoolMon (Windows 7 and earlier):

On Windows 2000 and Windows XP, you must first use GFlags to enable pool tagging. On later versions of Windows, pool tagging is always enabled. GFlags is included in Debugging Tools for Windows. Start GFlags, click the System Registry tab, click Enable Pool Tagging, and then click Apply. You must restart Windows for this setting to take effect. For details, see the GFlags Microsoft article.

Start PoolMon.
Choose the kind of pool to include:

If you've determined that the leak is occurring in a non-paged pool, press P once.
If you've determined that the leak is occurring in a paged pool, press P twice.
If you don't know, don't press P and both kinds of pool are included.

To sort the display by maximum byte use, press B and start your test.
Take a screenshot and copy it to Notepad. Take a new screenshot every half hour. By comparing screenshots, you can determine which tags bytes are increasing.

Data Collection for a Memory Leak using PowerShell script (Win 8 and later):

Download the attached Gatherinfo.ps1 (attached at bottom also "WindowsMemoryUsageMonitoring.zip").
Edit this section of the gatherinfo.ps1 to suit your needs:

#TODO: To use this script, modify the values below
#Right now the script is set to run every 15 minutes, and must continue running for 60 hours
#GatherData -SleepDurationInSeconds 15 -HoursToRun 60

Run the script on the client and collect the .csv from the script.
Parse the data into a graph (see the attached file "WindowsMemoryUsageMonitoring.zip").
1. To do this, place "plotgraph.exe" in a folder with the .csv collected from the gatherininfo.ps1 script.
2. Open the command line as administrator and run the following command "plotGraph.exe -nnsc 0 -nsc 0 -mcsc 5 -mcnsc 5"
When completed, it opens a graph showing the memory use.
Open a JIRA with the .csv files and matching MER from the client with the issue.

Extension Troubleshooting

Perform the steps in this section if the symptoms are Slow ePO Performance, Hang or not responsive.

Enable Orion Debug.
Enable Java Heap Dump.
Collect the MER and Java Heap Dump files.

Perform the steps in this section if you're experiencing issues with Solidcore Extension installation or upgrade.

Enable Debug Orion.
Reproduce the issue (upgrade or install).
Collect an ePO MER.

Perform the steps in this section if you're experiencing issues with Policy Discovery.

Enable Solidcore Extension Debug.
Reproduce the issue.
Gather screenshots of the events and issue.
Collect an ePO MER.

Perform the steps in this section if you're experiencing issues with Dashboard/System Tree Reporting.

Enable Solidcore Extension Debug.
Gather a screenshot of the issue with Reproduction steps.
Export of Dashboard (typically a query).
Collect an ePO MER.

Perform the steps in this section if you're experiencing issues with Inventory not present.

Make sure ePO server services are running.
Make sure that the client is solidified.
Check Inventory Fetch Time (Last and Next).
If Inventory time is greater than seven days, rerun the Pull task.
If Inventory time is less than seven days, run the Inventory time reset task. To reset the Last time inventory sync on the client, run the following commands:

sadmin config set InvDiffLastAccessTime=default
sadmin config set PullInvLastAccessTime=default

NOTE: A seven-day interval is the default value. Verify whether you've modified the Pull Complete Inventory Interval value in the App Ctrl Options policy. Adjust the timing accordingly. Rerun the Inventory Pull task if it fails.

Pull inventory manually by running sadmin ls -rax > FILENAME.xml.
Dump filename.xml into the ePO eventparser directory.
Check eventparser.log for errors.

If rerunning the Inventory pull task, collect the following:

FILENAME.XML
MER and Gatherinfo from affected client
MER with ePO Server and Orion debug logging

Perform the steps in this section if you're experiencing issues with Migrations tasks failing or hanging.

Enable Orion Debug logging.
Rerun the Migration task.

If rerunning the Migration task fails:

Collect an ePO MER.
Gather screenshots of the server task log showing failures and errors.
Run the following queries:

SELECT [Id], [Name], [StartDate], [EndDate], [UserName], [ParentId], [Status]
FROM [OrionSchedulerTaskLogMT];

SELECT a.id, a.name taskName, a.status
FROM [OrionSchedulerTaskLogMT] a
where a.NAME='Solidcore: Migration task'

SELECT a.id, a.name taskName, b.message logmessage, a.status
FROM [OrionSchedulerTaskLogMT] a
INNER JOIN [OrionSchedulerTaskLogDetailMT] b
ON a.id = b.tasklogid
and a.NAME='Solidcore: Migration task'
Check the output of the previous step and set to 1 if not migrating (1=failed).

update [OrionSchedulerTaskLogMT]
set status=1
where ID in (658316,658316,64031,664031,664031,664031,664031,664216,664216,664216,664216,664216,665122,665122,665122,666961,666961,666961)

NOTE: Numbers in () are from the script output above. These numbers vary.

Perform the steps in this section if you're experiencing issues with Solidcore events not processing.

Enable ePO Server (for eventparser*.log) and Orion debug logging.
Enable McAfee Agent (MA) debug logging (log level 8).
Create some events on the client.
Verify that events are created in the AgentEvents folder (c:\program data\mcafee\agent\agentevents).
Copy the events from the client.
Sync MA and send the events to ePO.
Verify that the events go to the event parser folder (<ePO install dir>\DB\Events).
Collect a MER and Gatherinfo from the Client and a MER from the ePO server.

NOTE: For step 7, the Event Parser might have to be stopped to catch the events. Make sure that they're caught before hitting the debug folder.

Perform the steps in this section if you're experiencing GTI issues.

Enable Orion debug logging.
Log on to the ePO console.
Check ePO Registered Servers:
Menu, Registered Servers, McAfee GTI Server, Actions, Edit
Test the connection; make sure it says successful.

If the connection test fails:

Collect an ePO MER.
Collect the output of settings for GTI using SQL.

Perform the steps in this section if you're experiencing issues with GTI server tasks hanging. Review Solidcore GTI running tasks:

select * from OrionTaskQueueMT where state = 3 and TaskDescription like '%scor.cloud.servertask.CloudFeedbackCompositeTask%'

Kill hung server task:

update OrionTaskQueueMT set state = 0 where state = 3 and TaskDescription like '%scor.cloud.servertask.CloudFeedbackCompositeTask%'

The task might rerun, but it doesn't hang again.

NOTE: Verify the SELECT statement first before running the UPDATE SQL script to make sure it's correct.

How To's

Data collection steps ACC log collection - gatherinfo:

Open an Administrator Command Prompt.
Recover the local CLI by executing sadmin recover. A password is needed to unlock the local CLI.
Execute gatherinfo.bat (Windows) or gatherinfo.sh (UNIX).
After gatherinfo is completed, a file named gatherinfo.zip (Windows) or gatherinfo-<Hostname>-<Date>.tar.gz is created in the current directory.

Data collection steps ACC log collection - MER:

NOTE: MER also collects the Solidcore Gatherinfo when you select all products or you select MA and ACC together.

On the client, download the MER client.
Run MER.exe on the client.
Select All applications or manually select ACC.
When finished, upload the .tgz file to the case or allow the tool to upload itself.

To deploy and collect a MER with ePO, see KB69308 - How to deploy the Minimum Escalation Requirement (MER) tool with ePolicy Orchestrator (ePO-MER).

Emergency Recovery via Registry if the issue is a crash and you can't boot normally:

Boot the system into safe mode.
Start Registry Editor (Start, Run, regedit).
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin\parameters
Edit key RTEModeOnReboot = 2 or 0
Reboot:

RTEMODE and RTEModeOnReboot:

0 = Disabled

1 = Enabled

2 = Update

3 = Observe

Application / Change Control Loglevel:

Increase the Application Control log level component:

sadmin recover (a password is needed to unlock CLI)
sadmin loglevel enable MAHDLR ALL
sadmin lockdown to restrict CLI access

Reset the Application Control log level component to default:

sadmin recover (a password is needed to unlock CLI)
sadmin loglevel disable MAHDLR ALL
sadmin loglevel enable MAHDLR ERROR WARNING SYSTEM
sadmin lockdown to restrict CLI access

Most common loglevel components used:

Pst = memory protection
Mapl = Solidcore plug-in
IPC = McAfee agent communication
RuleEngine = Execution Control

Application / Change Control Log Size:

Increase the Application Control Log size and number of files:

sadmin recover (a password is needed to unlock CLI)
sadmin config set LogfileNum=n* - (where n* is the number of files in decimal)
sadmin config set LogfileSize=nnnn*** - (where nnnn** is the size of the file in kilobytes (KB))
sadmin lockdown to restrict

Reset the Application Control Log size and number of files:

sadmin recover (a password is needed to unlock CLI)
sadmin config set LogfileNum=4
sadmin config set LogfileSize=2048
sadmin lockdown to restrict

How to clear the CLI password enforced by ePO:

Boot the system into safe mode.
Browse to C:\program files\mcafee\solidcore
Delete the file Passwd
Reboot into normal mode.
Recover CLI: sadmin recover

How to clear inventory time stamp:

On ePO:

Create SC: Run command with the following commands
- config set InvDiffLastAccessTime=default
- config set PullInvLastAccessTime=default
Send the task to the client.

On Client:

Open an Administrator Command Prompt.
Recover the local CLI by executing sadmin recover. A password is needed to unlock the local CLI.
Run the following commands:
- sadmin config set InvDiffLastAccessTime=default
- sadmin config set PullInvLastAccessTime=default

How to count rules:

Run the two commands below to display the total number of <auth> rules:

sadmin auth -l > auth.txt
findstr /R /N "^" auth.txt

How to determine if the Client is connected to the GTI / TIE server:

Open an Administrator Command Prompt.
Recover the local CLI by executing sadmin recover. A password is needed to unlock the local CLI.
Run the following command:
- sadmin usm get all
Check Output.

How to troubleshoot install issues (before version 8.2):

Collect the Install log from the client (C:\windows\solidcore_install.log).
Open the logs in a text editor.
Search for "Return Value 3."
Look for the error.

How to collect the FLTMC output:

Open an administrative command prompt.
Type "fltmc."
Collect the output from the fltmc command.

How to collect Procmon with boot logging:

Download Process Monitor from Microsoft.
Extract the file ProcessMonitor.zip to your Desktop.
To start logging, right-click Procmon.exe and choose Run as Administrator to run the tool.
Select Options, Enable Boot Logging.
Click OK.
Restart the computer.
When Windows has finished loading, double-click Procmon.exe.

How to Export Rule groups from ePO:

Log on to the ePO Console.
Select Menu, Configuration, Solidcore Rules.
Click the Rule Groups tab.
Select the option User created Rules. These rules are the ones with Edit next to them.
Click Export.
Save the XML on the local computer.

How to Import Rule groups into ePO:

Take the XML exported for backup and place it on the computer where you access ePO.
Log on to the ePO console.
Select Menu, Configuration, Solidcore Rules.
Click the Rule Groups tab.
Click Import.
Select File.
Click OK.

How to Export Policy:

Log on to the ePO console.
Select Menu, Policy, Policy Catalog.
Under Product, select Application Control.

NOTE: You must select this value for "Integrity Monitoring," "Change Control," and "General."
Under Category, select All.
On Product Properties, click Export.
Right-click Link.
Chose Save As to save the XML.

How to Import Policy:

Place the backed-up XML of the server tasks on the computer where you access ePO.
Log on to the ePO console.
Select Menu, Policy, Policy Catalog.
On Product Properties, click Import.

NOTE: You have to click this option for "Application Control" "Integrity monitoring," "Change Control," and "General."
Choose the file.
Click OK.

How to enable a Java Heap dump:

Click Start, Run, type regedit, and click OK.
Navigate to and expand the following registry key:

32-bit servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV200\Parameters\Java]

64-bit servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\MCAFEETOMCATSRV200\Parameters\Java]

Select the Java subkey.
In the right pane, double-click the Options value and append the value data below to the bottom:

-XX:+HeapDumpOnOutOfMemoryError

Click Start, Run, type services.msc, and click OK.
Restart the ePO Application Server service.
If the error occurs again, run the Minimum Escalation Requirements (MER) tool for ePO. Make sure that the Java Heap dump is included in the MER results. For more information about collecting ePO MERs, see KB72895 - How to collect a Minimum Escalation Requirements log for ePolicy Orchestrator and McAfee Agent.

NOTE: By default, the Heap dump is created in the root of the ePO installation directory. The file is called java_<pid>.hprof, where the <pid> is the Process ID for the currently running tomcat5.exe process. In 64-bit operating systems, the *.hprof dump file might be written to the C:\Windows\SysWOW64\ folder instead of the root of the ePO installation directory. It can also be located in the server\bin folder within the ePO installation directory.

How to enable Solidcore Extension Debug Logging:

The ePO Application Server (Tomcat) log file sends information to the common orion.log file. By default, the log is located in C:\Program Files\McAfee\ePolicy Orchestrator\Server\Logs. You can configure the file output debug level in the log configuration file. This file is located in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orion\log-config.xml.

Navigate to the C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orion directory.
Open log-config.xml with a text editor.
Scroll to the end of file.
Append the section below to the end of the file before the </log4j:configuration> ending tag.

</logger>

Save the log-config.xml file.

For details, see KB52369 - How to enable Orion debug logging in Orion.log.

How to submit a request for an unsupported kernel:

Information needed:

Kernel
Operating system
X86/64
Kernel date release
Number of systems affected

Process:

Gather the information needed.
Open a Service Request in Insights with the following:
- Title: Kernel Request - <OS> - <KERNEL>
- Description: Put in the information request fields
Submit a JIRA request with the same information:
- Product: Solidcore Agent
- Version: 6.3.x
- Component: General
- Found build: 6.3.0 (enter the latest build available; for the latest build, see KB87944 - Supported platforms for Application and Change Control)
- Bug Type: Product
- Actual origin: Post Release
- Expected Origin: Post release
- Hardware: <Fill out your hardware> *if unsure, set to “ALL”
- Operating system: <Fill out the OS> * if the operating system is not present on the list, select “Linux”
- Steps to repro: N/A
- Actual Results: N/A
- Expected Results: N/A
- Summary: Linux/UNIX - Kernel Request - <OS> - <KERNEL>
- Description: Put in the information request fields

How to collect a crash dump on Linux / UNIX

Commands to find the system calls and signals invoked by a process:

AIX	truss -afp process_name
Linux	strace -fp process_name
Solaris	truss -afmp process_name

Logs are maintained at the following locations:

AIX	/var/adm/messages
Linux	/var/log/messages
Solaris	/var/adm/messages

To manually generate a crash dump:

NOTE: Commands are followed by the paths where the crash dump is generated.

AIX	Press Yellow Path: /var/adm/ras
Linux	Press ALT+SYS RQ+C Path: /var/crash
Solaris	At boot time, press STOP+A and then type sync Path: /var/crash/<machine-name>/

To manually generate the core of a service:

NOTE: For all platforms, in the output of ulimit -a, set the value of the core file size to be unlimited by issuing the command ulimit -c unlimited.

AIX	For files named core.PID or core, a file is generated in / or /cwd.
Linux	For files named core.PID or core, a file is generated in / or /cwd.
Solaris	For files named core.PID or core, a file is generated in / or /cwd.

SQL Queries

Query 1 to check if Data channel is processing:

SELECT COUNT(ID) AS ROWS, DATA_TYPE

FROM SCOR_DATA_CHANNEL
GROUP BY DATA_TYPE
ORDER BY 1 DESC

Query 2 to check if Data Channel is processing:

SELECT COUNT(ID) AS ROWS, DATA_TYPE
FROM SCOR_STAGING_DATA_CHANNEL
GROUP BY DATA_TYPE
ORDER BY 1 DESC

Settings for GTI:

SELECT * FROM [dbo].[SCOR_CONFIG] WHERE CONTEXT='cloudIntegration' OR CONTEXT='gtiIntegration' ORDER BY CONTEXT
SELECT * FROM [dbo].[OrionRegisteredServers]

Policy Size:

select
pt.FeatureTextID,
pt.CategoryTextID,
pt.TypeTextID,
po.Name,
po.PolicyObjectID,
SUM(DATALENGTH(PSV.SettingValue)) DataSize
from EPOPolicySettingValues PSV
inner join epopolicyobjecttosettings pots
on psv.PolicySettingsID = pots.PolicySettingsID
inner join epopolicyobjects po
on pots.policyobjectid = po.policyobjectid
inner join epopolicytypes pt
on po.typeid = pt.typeid
group by pt.FeatureTextID, pt.CategoryTextID, pt.TypeTextID, po.Name, po.PolicyObjectID
having SUM(DATALENGTH(PSV.SettingValue)) > 10240
order by DataSize DESC;

Find policy number:

select * from EPOPolicyTypes pt
inner join EPOPolicyObjects po on po.typeid = pt.typeid
where pt.TypeTextID = 'AWL Rules (Windows)' and po.name like 'McAfee Default'

List Policy objects via SQL (must get policy number first):

select po.PolicyObjectID, po.Name, po.TypeID,
pt.TypeTextID, pt.CategoryTextID, pt.FeatureTextID,
ps.PolicySettingsID , ps.Name, ps.ParamInt, ps.ParamStr,
psv.PolicySettingValuesID, psv.SectionName, psv.SettingName, psv.SettingValue
from EPOPolicyObjects po
left join EPOPolicyTypes pt on po.TypeID = pt.TypeID
left join EPOPolicyObjectToSettings po2s on po.PolicyObjectID = po2s.PolicyObjectID
left join EPOPolicySettings ps on ps.PolicySettingsID = po2s.PolicySettingsID
left join EPOPolicySettingValues psv on psv.PolicySettingsID = ps.PolicySettingsID
where po.PolicyObjectID = 389

List Rule groups via SQL:

select Distinct po.PolicyObjectID, po.Name, po.TypeID,
pt.TypeTextID, pt.CategoryTextID, pt.FeatureTextID,
ps.PolicySettingsID , ps.Name, ps.ParamInt, ps.ParamStr,
psv.PolicySettingValuesID, psv.SectionName, psv.SettingName, psv.SettingValue
from EPOPolicyObjects po
left join EPOPolicyTypes pt on po.TypeID = pt.TypeID
left join EPOPolicyObjectToSettings po2s on po.PolicyObjectID = po2s.PolicyObjectID
left join EPOPolicySettings ps on ps.PolicySettingsID = po2s.PolicySettingsID
left join EPOPolicySettingValues psv on psv.PolicySettingsID = ps.PolicySettingsID
where pt.FeatureTextID ='SCOR_AWL' and SettingName = 'Group_name' and ps.Name not like '%Settings%'

Attachment 1

perfmon_template_scmem.zip
1K • < 1 minute @ broadband

Attachment 2

WindowsMemoryUsageMonitoring.zip
40.6MB • 5 minute(s) @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center