Sysmon v15.11

Alex_Mihaiuc  I sent you an email

WisconsinCheese, ScottWilbers 

Can you please drop me an email for a v15.12 preview build that should fix this?

The address is my name, with dot between the alex and the mihaiuc, at the company.

Alex_Mihaiuc  I am seeing basically the same issue ScottWilbers described, but cannot install the new version.  The installer produces this output:

C:\sysmon>Sysmon64.exe -i -accepteula

System Monitor v15.11 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
StartService failed for Sysmon64:
The service did not respond to the start or control request in a timely fashion.
Failed to start the service:
The service did not respond to the start or control request in a timely fashion.

Stopping SysmonDrv.
SysmonDrv stopped.
SysmonDrv removed.
Stopping the service failed:
The system cannot find the file specified.
DeleteService failed:
Access is denied.

When it fails, it seems it tries to clean up after itself.  It successfully deletes SysmonDrv.sys and the SysmonDrv service, and the Sysmon64.exe file, but not the Sysmon64 service.  The uninstaller isn't much help there either.

So I try to clean up manually as you instructed.  The .exe's are already gone, I delete the registry key for the service that does exist, and reboot.  The service is gone, and things appear to be in a clean state to reinstall.

However, trying to install 15.11 or 15.1 again results in the same thing again.  Only 14.x versions and older can be installed after cleaning up as you said.

It's very strange that this happened on 4 machines out of over 1400 successful updates.  And it re-occurs on the same machines after cleaning up manually.  Whereas all other machines let me install and uninstall it as much as I want.  But these machines are from the same image, so I am not sure what is so unique about them.

P.S. I have run sfc /scannow and dism /online /cleanup-image /restorehealth already, no impact.

ScottWilbers this behavior may be caused by trying to uninstall Sysmon with the new Sysmon binary, as opposed to the one used for installing.

To manually remove the driver (and service), just delete the autostart keys for the driver and the service, from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services: Sysmon64 and SysmonDrv. Then reboot (so that the driver stays unloaded) and also delete the binaries from C:\Windows: Sysmon64.exe and SysmonDrv.sys.

The new install will work after this - but go directly to v15.11, it has improvements.

Getting same error/results when I attempt to uninstall version 14.16.0.0 from existing Windows workstations as I got when first attempted to update to version 15.0.
When attempting to update a machine, I first run [Sysmon64.exe -u force[.  This executes successfully.
I then attempt to install/configure new version of Sysmon using [Sysmon64.exe -accepteula -i C:\Windows\Sysmon.xml], but it exits with code 1053.
Further attempts to uninstall sysmon retun exit code 5 with this output:
       Stopping the service failed:
       The system cannot find the file specified.
       DeleteService failed:
       Access is denied.

Am I doing something wrong?

Thanks!

It's the option to pass a user's BTF file, relevant for Linux.

The output from sysmon -s shows that there's a -btf command line switch but I can't find any information on what this does. Anyone know?

Thank you for this one, Ronny!