Blog Post

Sysinternals Blog
1 MIN READ

Sysmon v15.14

Alex_Mihaiuc's avatar
Alex_Mihaiuc
Icon for Microsoft rankMicrosoft
Feb 13, 2024

Sysmon v15.14

This update to Sysmon resolves a service crash on configuration change and a rare system crash.
 
Published Feb 13, 2024
Version 1.0

26 Comments

Show More
  • Shane_King's avatar
    Shane_King
    Copper Contributor
    May 02, 2024

    Hi Alex_Mihaiuc 

    Thanks for the response.

     

    Looking at the Documentation at https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

    there is a directive for the XML file called <DriverName>

     

    Apparently this is being ignored then?

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    May 02, 2024

    Shane_King when you install and uninstall Sysmon, make sure you use the original name.

     

    For example:

    ./sysmon64.exe -i
./sysmon64.exe -u
./sysmon64.exe -d "MonitorDrv" -i
./sysmon64.exe [-d "MonitorDrv"] -u

     Sysmon will complain if something else with that name already exists, for example for "Monitor": "The driver Monitor is already registered. Uninstall Sysmon before reinstalling."

  • Shane_King's avatar
    Shane_King
    Copper Contributor
    May 01, 2024

    Hi Alex_Mihaiuc 

    I asked this on the MS Learn site as well but not sure if it was the correct place to ask so here it is again.

    I'm having trouble getting the service name to change. I am running Sysmon v15.14 and have the following config entries:

     

     

    <Sysmon schemaversion="4.90">
	<DriverName>AudiusSv</DriverName>
	<EventFiltering>

		<RuleGroup name="" groupRelation="or">
			<ProcessCreate onmatch="include" />
		</RuleGroup>

		<RuleGroup name="" groupRelation="or">
			<ProcessTerminate onmatch="include" />
		</RuleGroup>

	</EventFiltering>
</Sysmon>

     

     No matter what I name the service, it has no effect. The service is always named Sysmon64 and the driver is always SysmonDrv.

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Mar 28, 2024

    That uninstallation bug existed in components that were already running, so I couldn't fix it here. Sorry you had to go through that, at least from now on it won't fail on uninstall.

     

    Mikey2024 there was a race condition from 15.10 that could cause a generic crash like "SYSTEM_SERVICE_EXCEPTION", but also more specific errors related to invalid list entries.

  • cjg000's avatar
    cjg000
    Copper Contributor
    Mar 28, 2024

    Has anyone tried this version on Windows Server 2016 Server Core? I've tried on the few remaining 2016 VMs and when I try to install it, the server crashes complaining about SysmonDrv.sys.

     

    Scratch that, it was the uninstall process of the old version that was causing the crash. 

  • Mikey2024's avatar
    Mikey2024
    Copper Contributor
    Feb 19, 2024

    Hi Alex_Mihaiuc 

     

    Can you please explain why there is no support for 2012 R2? What issues present themselves when installing 15.x on 2012 R2?

     

    What is the last supported version for 2012 R2? Are there any vulnerabilities in the last supported 2012 R2 version of sysmon?

    Can you elaborate some more information on the rare system crash experienced in 15.12 that 15.14 aims to resolve?

     

     

    Thank you.