Blog Post

Sysinternals Blog
1 MIN READ

Sysmon v15.0, Autoruns v14.1, and Process Monitor v3.95

Alex_Mihaiuc's avatar
Alex_Mihaiuc
Icon for Microsoft rankMicrosoft
Jun 27, 2023

Sysmon v15.0

This update to Sysmon, an advanced host security monitoring tool, sets the service to run as a protected process, hardening it against tampering, adds a new event, FileExecutableDetected, for when new executable images are saved to files, and fixes a system hang occurring in certain situations due to an interaction between network and file system events.
 

Autoruns v14.1

This update to Autoruns, a utility for monitoring startup items, fixes a bug with detecting non-shortcut files in startup folders, fixes a bug with handling non-UNC, non-absolute paths, and improves theming support.
 

Process Monitor v3.95

This update to Process Monitor fixes a crash on loading certain PML files and improves boot logging.
 
Published Jun 27, 2023
Version 1.0
  • ScottWilbers's avatar
    ScottWilbers
    Copper Contributor

    We are getting the same error message when trying to update from 14.16.0.0.

    Run command sysmon64.exe -u force, initially returns exit code 0.  Then attempt to install version 15.0.0.0 but it exits with 1053 code.

    Subsequent attempts to uninstall existing configurations return access denied (exit code 5) and says it can't delete the service.

  • ScottWilbers - we discovered a set of circumstances that could lead to the observed lock on servers running Sysmon, a fix is on its way.

  • Jesse_King's avatar
    Jesse_King
    Copper Contributor

    We are having issues with Server 2012 R2 and Sysmon v15.0 exiting with an error code 1053.  I'm not having any issues with any other OS.  Anyone else having this issue?

  • mbradford's avatar
    mbradford
    Copper Contributor

    We on accident installed sysmon 15 over an existing sysmon 15 installation.  The service is stopped and will not start.  We cannot use the sysmon -u or sysmon -u force.  Throws errors.

     

    The only way we have found to get everything running again is delete registry values, delete sysmon files, then a restart.

     

    Restarts are painful.  Is this a bug????  Why does installing sysmon 15 overtop an existing sysmon 15 completely break sysmon.

  • Mike_Briggs's avatar
    Mike_Briggs
    Copper Contributor

    Hi there.  We use Autoruns quite a bit for quick before and after snapshots for software packaging requests.

    It's easy for the helpdesk to do this quickly before we get too deep into it.

     

    I'm looking for something to capture additions to firewall rules.. Can Autoruns do this?  maybe I'm missing something.

     

    thanks