none
Sysmon 10.41 installation Issue RRS feed

  • Question

  • i am trying to install on Win 7 64 bit but i keep getting following errors

    Windows cannot verify the digital signature for this file. a recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    i have even tried on fresh win 7 installation

    on some machines i am getting an additional error 

    "error getting the evt dll (wevtapi.dll) : 87"


    Thursday, November 7, 2019 3:14 AM

Answers

  • the Digital Signature issue has been resolved with simply/only installing Update KB 3033929 (atleast on one machine i currently have access to)

    however 

    "error getting the evt dll (wevtapi.dll) : 87"

    still remains


    • Edited by SaroshAftab Tuesday, November 12, 2019 8:31 AM
    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:31 AM
    Tuesday, November 12, 2019 8:30 AM
  • Can you tell me if this is fully patched?

    For the certificate issue, as per https://docs.microsoft.com/en-gb/sysinternals/announce/sha1deprecation for the last couple of releases we have no longer been dual signing with SHA1 signatures as these have been deprecated across the whole of Microsoft. You will need to install the downstream support for SHA256 on Windows 7 as per the linked document.

    The DLL load problem could be related to our use of the LOAD_LIBRARY_SEARCH_SYSTEM32 flag which we have started to use to mitigate DLL side loading attacks. As per https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa, this value requires KB2533623 to be installed.

    If you are still experiencing this on a fully patched Windows 7 machine please contact me offline at syssite@microsoft.com and I will help you resolve it.

    MarkC(MSFT)

    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:31 AM
    Tuesday, November 12, 2019 3:33 PM
  • Machine is not patched,  KB2533623 resolved the winevtapi.dll issue whereas KB3033929 resolved digital signature issue.

    Thanks MarkC(MSFT) & mario

    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:32 AM
    Saturday, November 16, 2019 9:31 AM

All replies

  • I would start updating the crtificate chain root of that windows 7 machine

    https://support.microsoft.com/en-us/help/2677070/an-automatic-updater-of-untrusted-certificates-is-available-for-window

    For the Event Viewer error 87 means

    # as an HRESULT: Severity: SUCCESS (0), FACILITY_NULL (0x0), Code 0x57
    # for decimal 87 / hex 0x57
      ERROR_INVALID_PARAMETER                                        winerror.h
    # The parameter is incorrect.

    But I would give priority to the update of the certificate chain..

    HTH
    -mario

    Thursday, November 7, 2019 7:50 AM
  • the KB for win 7 are no longer available

    the error screen shot is @  https://ibb.co/1RCCj1Q

    here are screenshots of  certificates that i have resolved

    https://ibb.co/58w3zpS
    https://ibb.co/DGT9H5f

    thanks for the help

    Friday, November 8, 2019 2:31 PM
  • Both the driver and the service are installed in the C:\windows folder. Unless you have there an older version of sysmon which has now problem with the certificate I canno think to anything else if you have solved the problem with the certificates.

    So, look at the WIndows folder for old version of sysmon, then try again while logging with process monitor and if you still have troubles, share the procmon trace without any filter.

    Thanks

    -mario


    • Edited by mariora_ Friday, November 8, 2019 4:26 PM grammar
    Friday, November 8, 2019 4:25 PM
  • the Digital Signature issue has been resolved with simply/only installing Update KB 3033929 (atleast on one machine i currently have access to)

    however 

    "error getting the evt dll (wevtapi.dll) : 87"

    still remains


    • Edited by SaroshAftab Tuesday, November 12, 2019 8:31 AM
    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:31 AM
    Tuesday, November 12, 2019 8:30 AM
  • Please, capture a process monitor trace without any filter and share it.

    Tanks
    -mario

    Tuesday, November 12, 2019 8:51 AM
  • Can you tell me if this is fully patched?

    For the certificate issue, as per https://docs.microsoft.com/en-gb/sysinternals/announce/sha1deprecation for the last couple of releases we have no longer been dual signing with SHA1 signatures as these have been deprecated across the whole of Microsoft. You will need to install the downstream support for SHA256 on Windows 7 as per the linked document.

    The DLL load problem could be related to our use of the LOAD_LIBRARY_SEARCH_SYSTEM32 flag which we have started to use to mitigate DLL side loading attacks. As per https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexa, this value requires KB2533623 to be installed.

    If you are still experiencing this on a fully patched Windows 7 machine please contact me offline at syssite@microsoft.com and I will help you resolve it.

    MarkC(MSFT)

    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:31 AM
    Tuesday, November 12, 2019 3:33 PM
  • Machine is not patched,  KB2533623 resolved the winevtapi.dll issue whereas KB3033929 resolved digital signature issue.

    Thanks MarkC(MSFT) & mario

    • Marked as answer by SaroshAftab Saturday, November 16, 2019 9:32 AM
    Saturday, November 16, 2019 9:31 AM