none
Sysmon 9.0 configuration issue RRS feed

  • Question

  • Hi,

    I am finding trouble changing the config of Sysmon. After initial successful configurations, now seems the tool ignores any new file request. Uninstall and install back didn't work even worse, roll back to 8 was also useless. Once back to v9.0 seems it is OK:

    PS C:\Windows\system32> sysmon64 -c

    System Monitor v9.0 - System activity monitor
    Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com

    Current configuration:
     - Service name:                  Sysmon64
     - Driver name:                   SysmonDrv
     - HashingAlgorithms:             SHA1
     - Network connection:            disabled
     - Image loading:                 disabled
     - CRL checking:                  disabled
     - Process Access:                disabled

    No rules installed

    At the moment it is logging everything (as expected), also filter is OK:

    PS C:\Windows\system32> fltmc

    Filter Name                     Num Instances    Altitude    Frame
    ------------------------------  -------------  ------------  -----
    others
    SysmonDrv                               8       385201         0

    others

     sysmon64 -c .\sysmon_v1.1-Schema4.2.xml

    but when trying to setup a new config get this error:

    sysmon64 -c .\sysmon_v1.1-Schema4.2.xml

    System Monitor v9.0 - System activity monitor
    Copyright (C) 2014-2019 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com

    Loading configuration file with schema version 4.20
    Configuration file validated.
    Error: Sysmon is not installed.
    Configuration updated.

    it is a bit strange that config file is parsed successfully (apparently) , then reports an error, and says finally it is updated. Anybody is experiencing the same issue?

    thanks

    Thursday, March 14, 2019 4:53 PM

All replies

  • Hello

    I thought I'd seen this before so just went through the old threads and came across this one

    https://social.technet.microsoft.com/Forums/en-US/fd6b531f-2b6c-4d53-adcf-4b664e1b91ee/sysmon-v80-driver-failure?forum=miscutils

    The error you are seeing is logged when we fail to open a connection to the driver. From the driver code however I can see that the only reason this would occur is if the user does not have the SeDebugPrivilege since the driver checks for this and returns access denied on failure.

    Could you download AccessChk from https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk and run the following command:

    accesschk64.exe accountname -a * | findstr /i debug

    If it doesn't list SeDebugPrivilege then that's the issue.

    MarkC (MSFT)

    Monday, April 1, 2019 9:17 AM