none
Sysmon 10.41 Memory Leak RRS feed

  • Question

  • Hello all,

    I have noticed that Sysmon 10.41 seems to have a memory leak; Sysmon's memory usage continuously rises on Win10 until the machine reboots. I've seen it go up as much as 20mb/day.

    Are there any known causes or fixes for this?

    Monday, November 25, 2019 4:02 PM

All replies

  • Where do you see the memory leak and How?

    Is it the driver which is leaking in kernel or the WIndows service leaking usemode memory??

    How dd you get the data abaout the leak? Did you use Poolmon or rammap/processExplorer?

    If it is the driver, can you please run this script every 6 hours for some days, so we can see the Sysmon Tag leaking thos 20 MB of ram?

    poolmon -n c:\temp\pool.txt -e -u

    If the leak is in user mode, can you show us some screenshots??

    Thanks

    -mario

    Monday, November 25, 2019 4:56 PM
  • Hi @ All,

    are there any news? we have also some troubles with the sysmon 10.41. at our windows server 2016. In some cases the sysmon64.exe use 3GB RAM and more. We already use poolmon but could not find problems in the kernel. In the moment are 14 systems are affected at our environment.


    Many Thanks,

    Andreas

    Wednesday, December 4, 2019 4:15 PM
  • please, fire up Ram Map and share a screenshot of that.

    Both tab: Use Counts and Process (ordered by Private)

    May be it is possible to release that memory if it is in standby..

    HTH
    _mario

    Wednesday, December 4, 2019 4:21 PM
  • Hello

    We identified, resolved and verified all outstanding memory leaks for Sysmon in 10.42 which will published some time today.

    MarkC(MSFT)

    Monday, December 9, 2019 10:07 AM
  • Hello Mario,

    sorry for my late response. We already use RamMap but could not find any  error and we was also in contact with our specialist team.

    best regards,

    Andreas

    Wednesday, December 11, 2019 10:47 AM
  • Hello Mark,

    many thanks for your response. Can you tell us when the new version will be available?

    best regards,

    Andreas


    Wednesday, December 11, 2019 10:51 AM
  • It's available now on https://live.sysinternals.com/

    HTH
    -mario

    Wednesday, December 11, 2019 8:45 PM