Sysmon v15.14

Hi Alex_Mihaiuc 

Can you please explain why there is no support for 2012 R2? What issues present themselves when installing 15.x on 2012 R2?

What is the last supported version for 2012 R2? Are there any vulnerabilities in the last supported 2012 R2 version of sysmon?

Can you elaborate some more information on the rare system crash experienced in 15.12 that 15.14 aims to resolve?

Thank you.

Hey it82373,

This is great feedback, thank you for taking the time to write it!

Tracking all of your points; the goal is to make the tool "self-document" - meaningfully react to the configuration / runtime, and these are all baseline / expected software behaviors, also with Shane_King's experience.

Thanks for reporting - apparently it doesn't correctly parse those config settings. As for the service name, I'll update the docs to reflect the current functionality.

Hi Alex_Mihaiuc,

I really love the whole sysinternals suite and especially Sysmon is a wonderful tool. But I feel certain aspects could be improved:

1. The documentation is not very elaborate
2. The changelogs does not seem to be complete or in detail
3. Syntactically incorrect configruation files are accepted

This makes it much more difficult, time consuming and error prone to use it in a stable and reliable way for any serious use cases.

I know that documentation is not a very thrilling task, but maybe steps could be taken to improve that in the future?

Here are some concrete examples for the points raised above:

The documentation is not very elaborate

There are some flags that do not seem to be documented anywhere and that are not present in the sysmon /? output. For example:

• There is the -t flag for printing sysmon output to console for debugging/testing. I found that by absolute chance, it is not documented anyhwere

I wonder what other helpful flags I may be missing?

Furthermore I don't think the documentation mentions anywhere, that each event type can only specified once (well twice, one for includes and one for excludes) in the configuration. 

If you e.g. specify multiple <ProcessCreate onmatch="include"> sections in the configuration the config file is successfully validated, successfully updated but the rules do not work as expected!

Having that mentioned prominently in the documentation would have saved me hours of troubleshooting.

For the Event ID 255 I could not find any helpful documentation at all, to help understand whether a particular error being logged is a temporary issue due to load, or an issue that needs to be looked after. For example I encountered the following errors during the last weeks:

ID: IMAGE_LOAD / Description: Failed to find process image name

I assume this means an event will be missing or incomplete?

ID: ConfigMonitorThread / Description: Failed to send message to the driver to update configuration - Last error: The system cannot find the file specified.

What does that tell me? Was the configuration updated or not? Do I need to perform any action or will sysmon work? I assume everything is fine because the configuration hash has been updated in the registry but I don't know.

ID: QUEUE / Description: Events dropped from driver queue: <EVENT TYPE>:<COUNT>

I assume that this could happen due to load, but there is no documentation on what to check in these cases, no documentation of what the internal queue size is and whether it can be changed, ...

Would sysmon be open source I could at least dig through the code to try to see for myself but with the current situation we only have the documentation and the changelogs and these do not help in this regard.

The changelogs does not seem to be complete or in detail

The changelogs are often just a single line without any details. This makes it really difficult to see if relevant changes are included. 

For example adding the 255 Error Events was briefly mentioned, but no examples were given (like those I've mentioned above) to help the user determine whether those are expected or not - and how to troubleshoot/solve them.

Syntactically incorrect configruation files are accepted

Sysmon successfully accepts, validates and updates configuration files that are syntactically incorrect.

One example was provided by Shane_King above, another one would be specifying a single event type multiple times:

PS C:\sysmon> gc C:\sysmon\corrupt.xml
<Sysmon schemaversion="4.90">
        <EventFiltering>
            <ProcessCreate onmatch="include">
                                <Rule>
                                        <Image condition="is">cmd.exe</Image>
                                </Rule>
                        </ProcessCreate>

                        <ProcessCreate onmatch="include">
                                <Rule>
                                        <Image condition="is">pwsh.exe</Image>
                                </Rule>
                        </ProcessCreate>
        </EventFiltering>
</Sysmon>
PS C:\sysmon> .\Sysmon.exe -c C:\sysmon\corrupt.xml


System Monitor v15.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.90
Configuration file validated.
Configuration updated.

PS C:\sysmon> .\Sysmon.exe -c


System Monitor v15.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon
 - Driver name:                   SysmonDrv
 - Config file:                   C:\sysmon\corrupt.xml
 - Config hash:                   SHA256=86E3E47770744B1570CC4D2FEED27620ECB0FFF3925EB33F2B784EE66F908030

 - HashingAlgorithms:             SHA256
 - Network connection:            disabled
 - Archive Directory:             -
 - Image loading:                 disabled
 - CRL checking:                  enabled
 - DNS lookup:                    enabled

Rule configuration (version 4.90):
 - ProcessCreate                      onmatch: include   combine rules using 'And'
        Compound Rule 0001   combine using Or
            Image                          filter: is           value: 'cmd.exe'
PS C:\sysmon>

The config was validated and updated, however the resulting configuration does not contain the rule matching for pwsh.exe.

This can be easily spotted in this stripped-down config, but if you have a configuration that contains hundreds or thousands of lines it can easily be missed.

I understand that it may be very difficult to completely validate the config file with all the options and combinations that sysmon offers, but a very basic validation that event types are not specified more than once for includes and once for excludes would avoid that pitfall.

Again, thank you for this great tool!

Has anyone tried this version on Windows Server 2016 Server Core? I've tried on the few remaining 2016 VMs and when I try to install it, the server crashes complaining about SysmonDrv.sys.

Scratch that, it was the uninstall process of the old version that was causing the crash. 

That uninstallation bug existed in components that were already running, so I couldn't fix it here. Sorry you had to go through that, at least from now on it won't fail on uninstall.

Mikey2024 there was a race condition from 15.10 that could cause a generic crash like "SYSTEM_SERVICE_EXCEPTION", but also more specific errors related to invalid list entries.

Hi Alex_Mihaiuc 

I asked this on the MS Learn site as well but not sure if it was the correct place to ask so here it is again.

I'm having trouble getting the service name to change. I am running Sysmon v15.14 and have the following config entries:

<Sysmon schemaversion="4.90">
	<DriverName>AudiusSv</DriverName>
	<EventFiltering>

		<RuleGroup name="" groupRelation="or">
			<ProcessCreate onmatch="include" />
		</RuleGroup>

		<RuleGroup name="" groupRelation="or">
			<ProcessTerminate onmatch="include" />
		</RuleGroup>

	</EventFiltering>
</Sysmon>

 No matter what I name the service, it has no effect. The service is always named Sysmon64 and the driver is always SysmonDrv.

Shane_King when you install and uninstall Sysmon, make sure you use the original name.

For example:

./sysmon64.exe -i
./sysmon64.exe -u
./sysmon64.exe -d "MonitorDrv" -i
./sysmon64.exe [-d "MonitorDrv"] -u

 Sysmon will complain if something else with that name already exists, for example for "Monitor": "The driver Monitor is already registered. Uninstall Sysmon before reinstalling."

Hi Alex_Mihaiuc 

Thanks for the response.

Looking at the Documentation at https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

there is a directive for the XML file called <DriverName>

Apparently this is being ignored then?

The XML directive works as well. The command-line switch is the old method of specifying the driver name.