Blog Post

Sysinternals Blog
1 MIN READ

Autoruns v14.06 and Sysmon v13.30

Alex_Mihaiuc's avatar
Alex_Mihaiuc
Icon for Microsoft rankMicrosoft
Oct 26, 2021

Autoruns v14.06

This Autoruns release fixes a crash happening for scheduled tasks containing spaces.
 

Sysmon v13.30

This Sysmon update adds user fields for events, fixes a series of crash-causing bugs - for example with the Visual Studio debugger - and improves memory usage and management in the driver.
 
Published Oct 26, 2021
Version 1.0
  • hqqddy's avatar
    hqqddy
    Copper Contributor
    Oct 27, 2021

    Alex_Mihaiuc well it's failed to disable components is Installed components for i.e. Is it new normal behaviour? We (ok I am) look at builds v13.x and it works fine.

  • click-click's avatar
    click-click
    Copper Contributor
    Oct 27, 2021

    14.06 is still broken. Open -> Save > and Compare still cannot load the saved .arn file with Win7 ESU, Win 8.1 and Win10 LTSB. Works okay with Win11 and some newer W10 builds.

    Has no one tested this?
    Am I the only one with this problem?
    It would be nice if someone could confirm.

  • JosephMy's avatar
    JosephMy
    Copper Contributor
    Oct 26, 2021

    In the Sysmon zip file, Sysmon64.exe shows a file and product version of 13.30. However, upon installation, it displays v13.24. Additionally, once installed, C:\Windows\Sysmon64.exe displays a file and product version of 13.24, as does the C:\Windows\SysmonDrv.sys. Is this the latest version of 13.30? Or is the product version incorrectly listed on install and post-install? 

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Oct 27, 2021

    JosephMy It appears you have a mix between v13.24 and v13.30. I think that in your case the previous version was not fully uninstalled before getting to v13.30. Completely remove sysmon with:

    sysmon64 -u force

    then make sure that C:\Windows\sysmon64.exe doesn't exist anymore and start again v13.30.

     

    hqqddy is this still the crash with rundll entries containing spaces?

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Oct 27, 2021

    Oh, hqqddy, I saw such problems with v14 and I thought they were all fixed. I would owe you one if you could provide a more detailed description so I can get a fix out. Either here or via mail at "syssite".

  • JosephMy's avatar
    JosephMy
    Copper Contributor
    Oct 27, 2021

    Hi Alex_Mihaiuc, thanks for the reply. I did try the -u force command, it appears that the executable persists in C:\Windows although the output says that it's the Sysmon64 service is stopped and and Sysmon64 is removed. As a workaround, I'm running -u force, then deleting the executable. Thanks.

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Oct 27, 2021

    JosephMy the fact that we don't properly handle this common upgrade path is very useful feedback in itself, thanks!

     

    click-click really weird it's regressing on the older systems, I'll have a look and get back to you with a fix.

  • Alex_Mihaiuc's avatar
    Alex_Mihaiuc
    Icon for Microsoft rankMicrosoft
    Oct 27, 2021

    hqqddy - getting that error while trying to disable one of the "?????" entries towards the bottom of the list, is that correct?