none
Sysmon - problem with Sysmon removal RRS feed

  • Question

  • Hello,

    We've installed Sysmon on several workstations and we found interesting problem.

    When uninstallation is performed (i.e. to remove old version and install new) system is starting to become unresponsive after couple minutes

    Usually pattern is the same : Sysmon -u command is performed, we see information that Sysmon removed is visible in cmd, but it stops in this moment, exit is not performed (I cannot create screen shot of this, cause when I try to save file every tool becomes not responsive).

    Afer hard reboot I'm checking services in registry and it looks like HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sysmondrv entry is not removed and sysmon gives error:  Failure to start the service. 
    When we try again system shows the same behavior.
    Manual removal of binaries and clearing registry works, but we need to be able to remove sysmon using cmd line (via script).
    We tried version 7,8 and newest version 9


    Have you experienced something similar and found source of this problem?

    Best regards


    Monday, March 25, 2019 10:32 AM

All replies

  • Hi MadMike81,

    Our organization had similar problems during Sysmon uninstallation. Every upgrade would have a small percentage of systems that failed to uninstall. This was too time consuming to track down and fix them manually. We opted to update our uninstall process to remove the service registry keys and binaries (at next reboot). This allowed the Sysmon services to continue running in memory until the next reboot, and then it would automatically update by our deployment process.

    The cause of this behavior could be any number of factors related to the computer baseline security settings and installed applications.

    I really wish Sysmon would support an in-place upgrade instead of requiring a complete uninstall. But there's always the chance of that small percentage of failures.

    Wednesday, July 17, 2019 1:21 PM
  • Always remember that Services and drivers can be stopped/started using Net Stop/Net STart

    Net stop sysmon

    net stop sysmondrv

    del c:\windows\sysmon.exe

    del c:\windows\sysmondrv.sys

    reg delete HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv /f

    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Sysmon /f

    And you are probably ready to setup it again..

    HTH
    -mario

    Wednesday, July 17, 2019 1:42 PM
  • If the system is becoming completely unresponsive it sounds like a kernel mode deadlock. If this is repeatable in your environment would you be able to create a memory dump via a forced BSOD  (preferably using the latest 10.2 version) for us?

    If you are willing to help with this please follow the instructions at https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard. You can also use Notmyfault for this but if the system is unresponsive that might be difficult whereas the CrashOnCtrlScroll method works almost always.

    Please contact me offline at syssite@microsoft.com and I will provide you with an upload location and will give this my immediate attention.

    MarkC (MSFT)

    Wednesday, July 17, 2019 2:21 PM
  • Sysmon/Sysmon64 has had an installation bug, for as long as I can remember, whereas install/uninstall issues will be encountered when the installation is performed from any folder or subfolder under %SystemRoot%.

    The issue you're describing exists because during installation the SysmonDrv.dll file was not created, even though output from the installer states it was created. Conversely, the service is created. During uninstallation, it may not even try to remove the service as it doesn't see the file (my theory).

    9 months ago, on this very forum, I was told the bug was going to corrected but that post has since been deleted.

    Until the bug is fixed, please install Sysmon/Sysmon64 from any folder or subfolder NOT under %SystemRoot%.

    Cheers!

    Friday, August 23, 2019 4:01 AM