Problem ejecting USB Mass storage device with Sysmon v11.0 (Resolved with v11.11) RRS feed

  • Question

  • Greetings Sysmon Community!

    With deployment of Sysmon v11.0 in our environment, “thumbdrive” users receive warnings when ejecting USB mass storage device after invoking the “safely remove and eject media” applet from the system tray.


    This warning started with Sysmon v11.0 and can be reproduced in v11.10, which is the latest version available at time of this posting.  The problem occurs even when all Sysmon rules are configured to include nothing.

    For the time being, I have advised users to ignore this warning and to remove media when it is visually clear that all file copy operations have completed.  I have not heard of any cases of data loss.

    I imagine this issue will (and should) be backlogged until more pressing resource management issues are addressed.  My intent is simply to register the issue for awareness.

    Thank you for your support!

    • Edited by dstaulcu Saturday, July 18, 2020 3:19 PM Updated resolution status in title
    Friday, July 17, 2020 12:51 PM

All replies

  • After posting this I noticed that Sysmon v11.11 had been published.  I can no longer reproduce the problem with Sysmon v11.11 having all sysmon rules configured to exclude nothing! 

    • Edited by dstaulcu Saturday, July 18, 2020 3:22 PM
    Friday, July 17, 2020 1:02 PM
  • Hello

    yes this was a known issue caused by the FileDelete archiving feature holding a reference to the archive folder on the USB mass storage device. As you indicated, I resolved this in Sysmon 11.11.


    Monday, July 20, 2020 6:54 AM
  • Thanks for the confirmation.  Your efforts are noticed and appreciated!

    • Edited by dstaulcu Tuesday, July 21, 2020 2:53 PM
    Tuesday, July 21, 2020 2:04 PM