Possible Sysmon Bug On Windows 7 & Windows Server 2008 R2


  • Hi,

    We believe we have encountered a bug in Sysmon on Windows 7 & Windows Server 2008 R2.

    When using ImageLoad filters to log loading of dlls, Sysmon logs thousands of repetitive ImageLoad events per second where the Loaded Image or Image (loading image) fields contain sysmon.exe.

    The outcome of this is very high cpu usage which renders the machine unusable until sysmon is deactivated or configuration is updated to exclude sysmon.exe related ImageLoad events.

    We have seen people discuss this issue since sysmon 2.0 (

    Hoping to get some information about where this issue originated from and how to solve it.


    Sunday, November 18, 2018 1:48 PM

All replies

  • Hello

    could you contact me offline at and I will try to help you figure out what is going on.

    MarkC (MSFT)

    Thursday, November 29, 2018 1:22 AM
  • Hello

    we have recently found and resolved this. We will be publishing an update shortly but in the interim anybody who is experiencing this or related issue (significant performance degradation, excessive memory consumption handle leaks etc)  can contact me offline at and I can provide them with a copy.


    MarkC (MSFT)

    • Edited by markc(msft) Saturday, December 1, 2018 5:21 PM
    Saturday, December 1, 2018 5:21 PM
  • The updated version is now available on our livesite at 


    Friday, December 7, 2018 6:58 PM