Taegis Endpoint Agent for Windows Troubleshooting
integrations endpoints edr taegis agent secureworks
This document provides guidance on initial agent troubleshooting steps you can take and information you can gather prior to reaching out to Secureworks support for assistance with agent issues.
Tip
Additional Taegis Endpoint Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.
Support Kit ⫘
The Windows Support Kit tool comes packaged with the agent MSI download to help with troubleshooting. Run the TaegisAgentSupportKit.x64 tool located at %Program Files%\SecureWorks\Taegis Agent with any of the following arguments after installation:
Note
For Windows Taegis Endpoint Agents version 1.0.40 and later, arguments are case insensitive and the - is optional.
| Support Kit Argument | Description |
|---|---|
-agent |
Shows Tenant ID and Host ID values after connection is established |
-antivirus |
Shows Name, State, Status, Path, and Timestamp values for the local antivirus product |
-connection |
Shows Connection and Isolation status |
-cpu* |
Shows Running Processes and Processors status |
-fingerprint |
Shows BIOS Serial, Device UUID, First Disk Serial, System Volume Serial, and Machine GUID* regardless of connection status |
-logfile |
Shows the 15 most recent Taegis records in both the Application and System logs for each of the following record types: Error, Warning, and Information |
-server |
Shows Registration URL |
-service |
Shows Service Name, Display Name, Service PID, and Service State for the Taegis Service |
-stats |
Shows all results from the preceding arguments except for -logfile and -cpu* |
-all |
Shows all results from the preceding arguments |
-help |
Shows the tool's usage menu |
-usage |
Shows the tool's usage menu |
<no argument> |
Shows the tool's usage menu |
<several arguments> |
Alerts the user that they can only have one argument; shows the tool's usage menu |
<invalid argument> |
Alerts the user that the argument they entered is invalid; shows the tool's usage menu |
Arguments and output marked with * are available for Windows Taegis Endpoint Agents version 1.0.40 and later.
Example:
The following will show connection and isolation status:
C:\Program Files\Secureworks\Taegis Agent> TaegisAgentSupportKit.x64 -connection
Connectivity Issues ⫘
- Verify the agent's Connection Status from the Endpoint Agents Summary table of Endpoint Agents in XDR.
- Ensure connectivity requirements are met by allowing communication to the domains through any firewalls.
- Incorrect registration details may have been presented. Check the registration key and server for any unintended white spaces.
- Is this a cloned device from a prior registered endpoint? If so, it may be considered duplicate and is being rejected. We recommend you uninstall and reinstall the agent with the correct registration details.
Installation ⫘
- Verify you have entered the correct registration key/server. Install will fail if registration validation fails.
- If using cmdline, ensure to run the install as an admin.
- Verify network connection is available and communication to
*.taegiscloud.comis allowed.
Auto Upgrade Failures ⫘
- Ensure connectivity requirements are met by allowing communication to the domains through any firewalls.
- Allow
taegis-agent-prod-builds.s3.us-east-2.amazonaws.comthrough firewalls. - Share the logs found under:
%ProgramData%\SecureWorks\TaegisAgentwith support, includingTaegisUser.logandAgentUpgrade.log.
Performance Issues ⫘
In order to troubleshoot performance issues like CPU, memory spike, blue screen of death (BSoD), and application crashing, provide Secureworks support the following information and logs. If the log files are too large, ask Secureworks for a file share link to upload the logs.
Provide the following Information ⫘
- The hostname of the machine
- The version the agent is running
- Amount of memory on box
- Number of CPU cores
- Pagefile size (as an admin, find in the Virtual memory section of the Advanced tab of Performance Options in Advanced system settings)
- List of services that are currently started:
net start - The
TaegisUser.logfile located at%ProgramData%\SecureWorks\TaegisAgent -
Task Manager screenshot of the Details tab, sorted by CPU, to determine what is consuming the most amount of memory. Include the following columns if not already present by right-clicking a column header and choosing Select Columns: CPU Time, Working set (memory), and Commit size.
Windows Task Manager
Service Not Starting ⫘
Check logs from Event Viewer; get TaegisUser.log from %ProgramData%\SecureWorks\TaegisAgent.
Uninstall ⫘
- Uninstalling as an admin typically does not present any issues. If issues involving the driver not stopping that prevent a successful uninstall occur, reboot the system.
- We recommend you uninstall the agent via XDR. See Uninstall via XDR.
- Provide uninstall logs.