none
[Sysmon][10.42] No info about parent's image and cmd RRS feed

  • Question

  • We ran into a strange situation with the latest version of sysmon (10.42).

    Suddenly it stopped to send the info about parent's image name and command line for the event id = 1 (while parent's pid was still available).

    We observed it happened only for `svchost.exe` process and its parent `services.exe`.

    According to an end user he installed Hyper-V and make some NIC changes to the host OS. Before this change we were receiving correct info. After reboot of the host system the issue was fixed.

    I checked the hashes of both files, they were not changed.

    In Event Viewer it looks like this:

    ProcessGUID: {*all zeros*}

    ParentProcessId: 872

    ParentImage : ?

    ParentCommandLine: ?

    (sorry, cannot add an image without verification of my account)

    Tuesday, April 21, 2020 5:25 AM

All replies