The commands listed in the following table are supported by Live Response.

Live Response supports the keyboard paste option. Use ctrl+v or cmd+v to paste into the terminal.

Command Description
cd [dir] Change the current working directory. Options include absolute, relative, drive-specific, and network share paths.
clear Clear the console screen; you can also use the cls command for this purpose.
delete [path] Delete the file specified in the path argument. The file is permanently deleted; it is not sent to the Recycle Bin.
detach Detach from the current Live Response session. If a session has no attachments, it remains live until it times out (five minutes by default). The same action is performed by the End my session button.
detach -q Terminate the current Live Response session. If a session has other users attached, these users will also be detached from the session.
dir Return a list of files in the current directory.
drives List the drives on the remote endpoint. This is for Windows only.
exec [processpath] Execute a background process specified in the processpath argument on the current remote endpoint. By default, process execution returns immediately and output is to stdout and stderr.
  • Options can be combined:
    • exec -o outputfile processpath: Redirect the process output to the specified remote file, which you can download.
    • exec -w processpath: Wait for the process to exit before returning.
  • You can combine the options as shown in the following example to execute and capture the output from a script:
    • exec -o c:\output.txt -w
    • c:\scripts\some_script.cmd
  • You must provide the full path to the process for the processpath argument.
    • c:\windows\system32\notepad.exe
execfg Execute a process on the current remote endpoint and return stdout/stderr.
  • execfg -o: Write temporary command output to remote file. Launch a process on the remote endpoint, wait for it to complete and return stdout/stderr. Use the -o to write stdout and stderr content to a specific file before returning it to the Live Response session.
get [path] Obtain the file that is specified in the path argument from the remote endpoint and download it to the local endpoint.
help Show the Live Response session commands with a brief description of each. If a command name is added, show the description of the specified command, with additional details (such as options) if available.
  • For example:help dir
kill Terminate the specified process. For example:
  • kill [process_pid]
  • kill [pid]
Note: You can use the ps command to get a list of the pid numbers that you can use with this command.
memdump [filepath] Take a kernel memory dump and store it to the given file path, which must include a file name. Starting with Windows sensor version 3.5.0.1523, memdump will generate a kernel memory dump (and user space, if kernel debugging is enabled). For information on enabling kernel debugging, see Microsoft's documentation.

Memory dumps can take several minutes, and an (*) icon in the Live Response window indicates that it is still in progress. This is for Windows only.

mkdir Make a directory on the remote endpoint.
ps or tasklist Obtain a list of processes from the remote endpoint. Analysis information for a newly discovered process might not yet be fully committed to the Carbon Black Cloud database and therefore not viewable.
put [remotepath] Put a file from the local endpoint onto the remote endpoint at the specified path. You specify the file in the Open dialog of the browser, after the command is entered in Live Response.
pwd Print the current working directory.
reg View or modify Windows registry settings (Windows endpoints only). The syntax of this command is:
  • reg [action] [key] [options]