none
Sysmon Error EventID 255: GetConfigurationOptions and IMAGE_LOAD RRS feed

  • Question

  • Good afternoon,

    since I've updated Sysmon up to v10.41 from v7.3, I have been getting a lot of Sysmon errors with EventID 255.

    They look like:

    {"ID":"GetConfigurationOptions","Description":"Failed to open service configuration with error 19","UtcTime":"2020-01-09 20:02:44.459"}
    {"UtcTime":"2020-01-10 02:58:34.422","ID":"IMAGE_LOAD","Description":"Failed to find process image name"}

    As I could notice, it seemingly occurs while Windows system is loading and lots of the same errors are recorded in EventLog at once (in my case I saw 359 events straight). But there may be also other moments as well when it happens.

    I checked the Sysmon configuration file, everything is OK with it as it works without any errors on some hosts.

    It's worth noticing that events from Sysmon arrive, CPU or memory utilization is in good conditions.

    I have no clue why I get these errors and what sideeffects are..

    Also checked service and driver states, they are running with no errors.

    I'd be nice if anyone could help me! Thanks!

    Friday, January 10, 2020 5:42 AM

All replies

  • Ini the latest version, 10.42, you can issue a command to export all the schema version:

    sysmon -s all > c:\temp\schema.txt

    Doing this you will get alist of all the schema available. Latest is 4.23.

    I would start implementing sysmon 10.42 with the latest schema and see if it changes something in your case.

    So, uninstall SYsmon and then clean up the WIndows folder from sysmon exe and sys, just in case they are left over. Then start using Sysmon 10.42 and change the config file accordingly to the latest schema, 4.23.

    Honestly I wouldn't know what else you could do to troubleshoot this.. If the OS is a supported one, ad you are running on a suppoted platform (hyper-v, vmware), unless you are having a conflict with some other device driver, I would start from scratch with the latest version..

    Try running the command FLTMC

    C:\Windows>fltmc

    Nome filtro                     Num istanze     Altitudine   Frame
    ------------------------------  -------------  ------------  -----
    bindflt                                 1       409800         0
    CldFlt                                  2       409500         0
    FsDepends                               7       407000         0
    SysmonDrv                               8       385201         0
    PROCMON24                               1       385200         0
    WdFilter                                8       328010         0
    storqosflt                              0       244000         0
    wcifs                                   2       189900         0
    WIMMount                                6       180700         0
    FileCrypt                               0       141100         0
    luafv                                   1       135000         0
    npsvctrig                               1        46000         0
    Wof                                     6        40700         0
    FileInfo                                8        40500         0

    And see what driver are loaded in your system higher than sysmon..

    HTH
    -mario

    Friday, January 10, 2020 8:20 AM
  • GetConfigurationOpions Error

    Unfortunately it's almost impossible for me to update Sysmon to 10.42 version right now because there're lots of hosts with Sysmon 10.41 installed right now, but I'll check if upgrading to 10.42 helps or not on one of the hosts where this problem persists.

    Does this error mean that I have some mistakes in my Sysmon configuration file or what? If so, why Sysmon works fine but logs this error then?

    IMAGE_LOAD Error

    I've issued the FLTMC command on some hosts where this problem happens, and it turns out that there is a DLP agent driver above Sysmon one on each of them. Then it means that there is a conflict between Sysmon and DLP drivers on boot-up time, right?

    How can I get more information about that and continue to troubleshoot it?

    Is there any way to confirm that this issue is not critical and it won't lead to some problems over time?

    The most interesting thing for me personally is that Sysmon keeps logging all required events in Event Log regardless of those errors.. But how they affect host's work itself?

    The FLTMC command output:

    Nome filtro                     Num istanze     Altitudine   Frame
    ------------------------------  -------------  ------------  -----

    bindflt                                 1                   409800         1

    DGMaster                                                                <Legacy>

    SysmonDriver                      5                   385201         0​

    ...

    Friday, January 10, 2020 6:14 PM
  • In latest version has been corrected lot of memory issues in SYsmon that probably it's worth a try at least on a couple of servers where you are experiencing the problems.

    For the DLP issue, I just would use Autoruns to disable that driver and reboot..

    If that solves the problem, that's it.. try at least on one server that you can reboot without causing troubles to users..

    HTH
    -mario

    Friday, January 10, 2020 8:10 PM
  • Ok, I've updated Sysmon up to 10.42 on one host but those errors remain. Both IMAGE_LOAD and GetConfigurationOptions. I switched the schema version as well to 4.23. Didn't help.

    I noticed that if I put EventID 7: Image Loaded out of my configuration file the IMAGE_LOAD error disappears. After I got it, I tried to tune this event but all the rules/conditions I've applied didn't change anything.

    The GetConfigurationOptions Error shows up sometimes after I reboot my host, but not always. No idea why this happened...

    Any idea what I can do next to solve these issues?

    Thank you!

    Monday, January 13, 2020 10:44 AM
  • Hello

    could you contact me offline at syssite@microsoft.com with a copy of your configuration file and I will take a look at this for you.

    MarkC(MSFT)

    Tuesday, January 14, 2020 11:50 AM
  • Hello

    Just following up on this. We were unable to reproduce it using your config and I was wondering whether you are still seeing this and if so whether or not you have observed any patterns or are able to reproduce it reliably?

    MarkC(MSFT)

    Friday, June 19, 2020 7:46 AM