none
Sysmon v11 not logging ProcessCreate events for Win10 versions 1507 thru 1607 RRS feed

  • General discussion

  • Hi all,

    Anybody else seeing this?  With the below configuration in place (and many other similar variations), when I open and close an app, I get the ProcessTerminate events (ID 5) but never the ProcessCreate events (ID 1).  All other OSs seem fine (Win7/WS2008 through Win10-v2004).  These are all VMs; I have not yet been able to test a physical machine with one of the problem OSs.

    EDIT: Dropping back to Sysmon v10.42 brings back ProcessCreate events.


    Dave


    • Edited by Dave Schob Wednesday, June 17, 2020 7:10 PM
    Wednesday, June 17, 2020 6:37 PM

All replies

  • I have confirmed this also occurs on physical machines.  I've check v1507 and v1607; both fail to log ProcessCreate events using even this simple config:

    <Sysmon schemaversion="4.22">
      <!-- Capture MD5 and SHA1 hashes -->
      <HashAlgorithms>MD5,SHA1</HashAlgorithms>
      <EventFiltering>
        <!-- Events to include -->
        <ProcessCreate      onmatch="exclude" />
        <ProcessTerminate   onmatch="exclude" />
      </EventFiltering>
    </Sysmon>


    Dave

    Friday, June 19, 2020 4:14 AM
  • Hi Dave

    this is a known regression for Sysmon 11 on some older SKUs. We have resolved the issue for Sysmon 11.10 which was supposed to be published yesterday. I am going to chase Mark R. on this today but in the meantime if you would like a pre-release version ahead of the publication please ping me at syssite@microsoft.com and I can make it available to you.

    MarkC(MSFT)

    Friday, June 19, 2020 7:51 AM
  • Thanks a bunch for the confirmation, Mark.  I've reverted to v10.42 on those problem VMs and will wait for the official 11.10 release.  I'll reply here when I've tested it.

    Dave

    Friday, June 19, 2020 3:33 PM