Blog Post

Sysinternals Blog
1 MIN READ

Sysmon v13.00, Process Monitor v3.61 and PsExec v2.21

lukekim's avatar
lukekim
Icon for Microsoft rankMicrosoft
Jan 11, 2021

Sysmon v13.00

This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks.
 

Process Monitor v3.61

This update to Process Monitor adds monitoring for RegSaveKey, RegLoadKey and RegRestoreKey APIs, as well as fixes a bug in the details output for some types of directory queries.
 

PsExec v2.21

This update to PsExec, a command line utility for remotely launching processes on Windows computers, removes some MAX_PATH related limits and now mandates the -i flag for interactive sessions.
Updated Jan 11, 2021
Version 1.0
  • martind22's avatar
    martind22
    Copper Contributor
    Jan 12, 2021

    lukekim Was the wrong version of PsExec released today?
    On https://docs.microsoft.com/en-us/sysinternals/downloads/psexec it says 2.21
    When I download it and execute PsExec.exe it says 2.30 https://download.sysinternals.com/files/PSTools.zip)
    On https://docs.microsoft.com/en-us/sysinternals/#whats-new-january-11-2021 there is no mention to PsExec (yes for Sysmon and Process Monitor).

     

    We are having some issues since today on our CI pipeline out of nothing.... we tracked down to a build that ran well and used 2.20 and the first build that failed we saw that used 2.30.

     

    C:\Users\....> PsExec.exe -accepteula -i 1 -w . cmd /s /c "echo Hello World"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

The handle is invalid.
Connecting to local system...


Starting PSEXESVC service on local system...


Copying authentication key to HOSTNAME...


Connecting with PsExec service on HOSTNAME...


Error communicating with PsExec service on HOSTNAME:

    (See that there is no reason at the end and the exit code was 6)

     

    Could you confirm it?


    Thanks in advance

     

    P.S.: Sorry if it is duplicated. Somehow the first comment disappeared.

  • martind22's avatar
    martind22
    Copper Contributor
    Jan 12, 2021

    lukekim Was the wrong version of PsExec released today? 

    On https://docs.microsoft.com/en-us/sysinternals/downloads/psexec it says 2.21

    When I download it and execute PsExec.exe it says 2.30 https://download.sysinternals.com/files/PSTools.zip)

    On https://docs.microsoft.com/en-us/sysinternals/#whats-new-january-11-2021 there is no mention to PsExec 2.21 (yes Sysmon and Process Monitor)

     

    We are having some issues since today on our CI pipeline out of nothing.... we tracked down to a build that ran well and used 2.20 and the first build that failed we saw used 2.30.

     

    C:\Users\....> PsExec.exe -accepteula -i 1 -w . cmd /s /c "echo Hello World"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

The handle is invalid.
Connecting to local system...


Starting PSEXESVC service on local system...


Copying authentication key to HOSTNAME...


Connecting with PsExec service on HOSTNAME...


Error communicating with PsExec service on HOSTNAME:

    (See that there is no reason at the end. The exit code was 6)

     

     

    Could you confirm it?

    Thanks in advance

  • Sai's avatar
    Sai
    Copper Contributor
    Jan 12, 2021

    Any updates? We were seeing similar issue in our builds. 

  • admoseley's avatar
    admoseley
    Copper Contributor
    Apr 05, 2021

    I've done some searches but can't seem to find any info on the following...

    What are the differences between procmon64.exe and procmon64a.exe?

     

     

    TIA

  • lukekim's avatar
    lukekim
    Icon for Microsoft rankMicrosoft
    Apr 05, 2021

    admoseley the "64" suffixed binaries are x64 and the "64a" are ARM64. No suffix will normally be 32-bit binaries, with 64-bit binaries embedded.