none
Sysmon not writes log. RRS feed

  • Question

  • Some sysmon agents on Windows 10, Windows 7 not writes log and Sysmon service's control buttons greyed with running status. So checked sysmon event and size was 0 byte. 

    Wednesday, July 10, 2019 1:20 AM

All replies

  • This generally means that during setup something blocked the installation process and now there is a mess in your PCs.

    Try uninstall and reinstall, but before doing this, please stop the antivirus temporary.

    HTH
    -mario

    Wednesday, July 10, 2019 7:25 AM
  • Yes we see this sometimes if the service is running but the driver is not.

    Could you try running sc query sysmondrv from an elevated command prompt to see whether the driver is active ?

    The most common reason for getting into this state is when you run the installation from a directory under c:\windows. This is on the list to fix for the next release.

    MarkC (MSFT)

    Thursday, July 11, 2019 1:39 PM
  • Sysmondrv status was "Running" and I installed path from C:\Program Files\Duran.  So disabled protection softwares but it not helps me.
    Tuesday, July 16, 2019 3:52 AM
  • Did you ever tried to take a procmon trace while running sysmon -i ??

    You will see that the first sysmon instance will create a new instance in the temp folder running in the bitness detected from the first instance. This second instance will create the service in c:\windows and will start that to install the service, then will configure the event log using wevutil applying an evt template from the temp folder and finally will create the driver in c:\windows and will create the registry entries for the driver and the rules from the config file if you pass one.

    sysmon  -i "C:\Sysmon\config.xml"

    C:\Users\Mario\AppData\Local\Temp\Sysmon.exe  -i "C:\Sysmon\config.xml"

    "C:\WINDOWS\Sysmon.exe" -nologo -accepteula -m

    "C:\WINDOWS\system32\wevtutil.exe" im "C:\Users\Mario\AppData\Local\Temp\MAN332F.tmp"

    Bottom line, at the end you will find two file
    C:\Windows\Sysmon.exe
    C:\Windows\SysmonDrv.sys

    And a bunch of registry keys under  
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysmon
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonDrv

    In any case, you must be administrator to run setup, but it is not important from where you start it because in any case the binaries will end up in the Windows folder.

    So, please, uninstall Sysmon using the command line Sysmon -u. This will remove correctly the event log.

    If by any chance, you have a look at the windows folder and the file are still present, delete them using Movefile and then reobotthen clean the registry entries, and try again.. 

    At the end check that the files are present where they need to be and the registry entries are created correctly.

    HTH

    -mario

    Tuesday, July 16, 2019 7:41 AM