Sysmon v13.00, Process Monitor v3.61 and PsExec v2.21

Published Jan 11 2021 03:12 AM 5,210 Views
Microsoft

Sysmon v13.00

This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks.
 

Process Monitor v3.61

This update to Process Monitor adds monitoring for RegSaveKey, RegLoadKey and RegRestoreKey APIs, as well as fixes a bug in the details output for some types of directory queries.
 

PsExec v2.21

This update to PsExec, a command line utility for remotely launching processes on Windows computers, removes some MAX_PATH related limits and now mandates the -i flag for interactive sessions.
7 Comments
Frequent Visitor

@lukekim Was the wrong version of PsExec released today? 

On https://docs.microsoft.com/en-us/sysinternals/downloads/psexec it says 2.21

When I download it and execute PsExec.exe it says 2.30 https://download.sysinternals.com/files/PSTools.zip)

On https://docs.microsoft.com/en-us/sysinternals/#whats-new-january-11-2021 there is no mention to PsExec 2.21 (yes Sysmon and Process Monitor)

 

We are having some issues since today on our CI pipeline out of nothing.... we tracked down to a build that ran well and used 2.20 and the first build that failed we saw used 2.30.

 

C:\Users\....> PsExec.exe -accepteula -i 1 -w . cmd /s /c "echo Hello World"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

The handle is invalid.
Connecting to local system...


Starting PSEXESVC service on local system...


Copying authentication key to HOSTNAME...


Connecting with PsExec service on HOSTNAME...


Error communicating with PsExec service on HOSTNAME:

(See that there is no reason at the end. The exit code was 6)

 

 

Could you confirm it?

Thanks in advance

Frequent Visitor

@lukekim Was the wrong version of PsExec released today?
On https://docs.microsoft.com/en-us/sysinternals/downloads/psexec it says 2.21
When I download it and execute PsExec.exe it says 2.30 https://download.sysinternals.com/files/PSTools.zip)
On https://docs.microsoft.com/en-us/sysinternals/#whats-new-january-11-2021 there is no mention to PsExec (yes for Sysmon and Process Monitor).

 

We are having some issues since today on our CI pipeline out of nothing.... we tracked down to a build that ran well and used 2.20 and the first build that failed we saw that used 2.30.

 

C:\Users\....> PsExec.exe -accepteula -i 1 -w . cmd /s /c "echo Hello World"

PsExec v2.30 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com

The handle is invalid.
Connecting to local system...


Starting PSEXESVC service on local system...


Copying authentication key to HOSTNAME...


Connecting with PsExec service on HOSTNAME...


Error communicating with PsExec service on HOSTNAME:

(See that there is no reason at the end and the exit code was 6)

 

Could you confirm it?


Thanks in advance

 

P.S.: Sorry if it is duplicated. Somehow the first comment disappeared.

Occasional Visitor

Any updates? We were seeing similar issue in our builds. 

Microsoft

Thanks for reporting this, we are investigating.

Microsoft

We've release a new post with update: Sysmon v13.01 and PsExec v2.30 - Microsoft Tech Community

Occasional Visitor

I've done some searches but can't seem to find any info on the following...

What are the differences between procmon64.exe and procmon64a.exe?

 

 

TIA

Microsoft

@admoseley the "64" suffixed binaries are x64 and the "64a" are ARM64. No suffix will normally be 32-bit binaries, with 64-bit binaries embedded.

%3CLINGO-SUB%20id%3D%22lingo-sub-2048379%22%20slang%3D%22en-US%22%3ESysmon%20v13.00%2C%20Process%20Monitor%20v3.61%20and%20PsExec%20v2.21%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2048379%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fsysmon%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3ESysmon%20v13.00%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3EThis%20update%20to%20Sysmon%20adds%20a%20process%20image%20tampering%20event%20that%20reports%20when%20the%20mapped%20image%20of%20a%20process%20doesn%E2%80%99t%20match%20the%20on-disk%20image%20file%2C%20or%20the%20image%20file%20is%20locked%20for%20exclusive%20access.%20These%20indicators%20are%20triggered%20by%20process%20hollowing%20and%20process%20herpaderping.%20This%20release%20also%20includes%20several%20bug%20fixes%2C%20including%20fixes%20for%20minor%20memory%20leaks.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fprocmon%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EProcess%20Monitor%20v3.61%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3EThis%20update%20to%20Process%20Monitor%20adds%20monitoring%20for%20RegSaveKey%2C%20RegLoadKey%20and%20RegRestoreKey%20APIs%2C%20as%20well%20as%20fixes%20a%20bug%20in%20the%20details%20output%20for%20some%20types%20of%20directory%20queries.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EPsExec%20v2.21%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3EThis%20update%20to%20PsExec%2C%20a%20command%20line%20utility%20for%20remotely%20launching%20processes%20on%20Windows%20computers%2C%20removes%20some%20MAX_PATH%20related%20limits%20and%20now%20mandates%20the%20-i%20flag%20for%20interactive%20sessions.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2048379%22%20slang%3D%22en-US%22%3E%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3ELearn%26nbsp%3Babout%26nbsp%3Bthe%26nbsp%3Blatest%26nbsp%3Bchanges%26nbsp%3Bto%26nbsp%3BSysmon%26nbsp%3Bv13.0%2C%26nbsp%3BProcMon%26nbsp%3Bv3.61%26nbsp%3Band%26nbsp%3BPsExec%26nbsp%3Bv2.21%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2051233%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.00%2C%20Process%20Monitor%20v3.61%20and%20PsExec%20v2.21%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2051233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362427%22%20target%3D%22_blank%22%3E%40lukekim%3C%2FA%3E%26nbsp%3BWas%20the%20wrong%20version%20of%20PsExec%20released%20today%3F%26nbsp%3B%3C%2FP%3E%3CP%3EOn%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%3C%2FA%3E%26nbsp%3Bit%20says%202.21%3C%2FP%3E%3CP%3EWhen%20I%20download%20it%20and%20execute%20PsExec.exe%20it%20says%202.30%20%3CA%20href%3D%22https%3A%2F%2Fdownload.sysinternals.com%2Ffiles%2FPSTools.zip%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdownload.sysinternals.com%2Ffiles%2FPSTools.zip%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20having%20some%20issues%20since%20today%20on%20our%20CI%20pipeline....%20we%20tracked%20down%20to%20a%20build%20that%20ran%20well%20and%20used%202.20%20and%20the%20first%20build%20that%20failed%20we%20saw%20that%20used%202.30.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20confirm%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2051300%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.00%2C%20Process%20Monitor%20v3.61%20and%20PsExec%20v2.21%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2051300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362427%22%20target%3D%22_blank%22%3E%40lukekim%3C%2FA%3E%26nbsp%3BWas%20the%20wrong%20version%20of%20PsExec%20released%20today%3F%3CBR%20%2F%3EOn%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2Fdownloads%2Fpsexec%3C%2FA%3E%20it%20says%202.21%3CBR%20%2F%3EWhen%20I%20download%20it%20and%20execute%20PsExec.exe%20it%20says%202.30%20%3CA%20href%3D%22https%3A%2F%2Fdownload.sysinternals.com%2Ffiles%2FPSTools.zip%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdownload.sysinternals.com%2Ffiles%2FPSTools.zip%3C%2FA%3E)%3CBR%20%2F%3EOn%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2F%23whats-new-january-11-2021%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsysinternals%2F%23whats-new-january-11-2021%3C%2FA%3E%20there%20is%20no%20mention%20to%20PsExec%20(yes%20for%20Sysmon%20and%20Process%20Monitor).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20having%20some%20issues%20since%20today%20on%20our%20CI%20pipeline%20out%20of%20nothing....%20we%20tracked%20down%20to%20a%20build%20that%20ran%20well%20and%20used%202.20%20and%20the%20first%20build%20that%20failed%20we%20saw%20that%20used%202.30.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EC%3A%5CUsers%5C....%26gt%3B%20PsExec.exe%20-accepteula%20-i%201%20-w%20.%20cmd%20%2Fs%20%2Fc%20%22echo%20Hello%20World%22%0A%0APsExec%20v2.30%20-%20Execute%20processes%20remotely%0ACopyright%20(C)%202001-2021%20Mark%20Russinovich%0ASysinternals%20-%20www.sysinternals.com%0A%0AThe%20handle%20is%20invalid.%0AConnecting%20to%20local%20system...%0A%0A%0AStarting%20PSEXESVC%20service%20on%20local%20system...%0A%0A%0ACopying%20authentication%20key%20to%20HOSTNAME...%0A%0A%0AConnecting%20with%20PsExec%20service%20on%20HOSTNAME...%0A%0A%0AError%20communicating%20with%20PsExec%20service%20on%20HOSTNAME%3A%3C%2FPRE%3E%3CP%3E(See%20that%20there%20is%20no%20reason%20at%20the%20end%20and%20the%20exit%20code%20was%206)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20confirm%20it%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20in%20advance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%3A%20Sorry%20if%20it%20is%20duplicated.%20Somehow%20the%20first%20comment%20disappeared.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2053906%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.00%2C%20Process%20Monitor%20v3.61%20and%20PsExec%20v2.21%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2053906%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20updates%3F%20We%20were%20seeing%20similar%20issue%20in%20our%20builds.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2054878%22%20slang%3D%22en-US%22%3ERe%3A%20Sysmon%20v13.00%2C%20Process%20Monitor%20v3.61%20and%20PsExec%20v2.21%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2054878%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20reporting%20this%2C%20we%20are%20investigating.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jan 11 2021 03:12 AM
Updated by: