none
Sysmon 11.11 didn't start: Threw Exception RRS feed

  • Question

  • Hi,

    I'm unable to use Sysmon in my system: Windows 7 Professional N x64 SP1 with the following hotfixes related to Sysmon:

    • Windows6.1-KB3033929-x64
    • Windows6.1-KB2533623-x64

    This is a VM used just for testing purposes so I currently have the UAC set at the lowest level  and several services disabled (find all started services attached at the end of this post).

    Find below the message from the cmd prompt:

    C:\Users\test\Desktop\Sysmon>Sysmon64.exe -accepteula -i sysmonconfig.xml
    
    System Monitor v11.11 - System activity monitor
    Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com
    
    Loading configuration file with schema version 4.32
    Configuration file validated.
    Sysmon64 installed.
    SysmonDrv installed.
    Starting SysmonDrv.
    SysmonDrv started.
    Starting Sysmon64..
    Sysmon64 failed to start.
    Failed to start the service:
    This operation returned because the timeout period expired.
    
    Stopping SysmonDrv.
    SysmonDrv stopped.
    SysmonDrv removed.
    Stopping the service failed:
    The service has not been started.
    Sysmon64 removed.

    ...and below the most informational event logged in the windows events:

    Faulting application name: Sysmon64.exe, version: 11.11.0.0, time stamp: 0x5f0db933
    Faulting module name: KERNELBASE.dll, version: 6.1.7601.17617, time stamp: 0x4dce2b0e
    Exception code: 0xc0000005
    Fault offset: 0x000000000000a292
    Faulting process id: 0x9d8
    Faulting application start time: 0x01d65b4b404571fb
    Faulting application path: C:\Windows\Sysmon64.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: 7e5f7c28-c73e-11ea-bf47-000666112233

    ..and this event:

    - Provider Name: Microsoft-Windows-Sysmon 
    - EventID 255
    - Channel Microsoft-Windows-Sysmon/Operational 
    - EventData 
      ID: CREATE_PIPE 
      Description: Unable to attach to \device\namedpipe 
    

    The following list shows the current started services:

    AeLookupSvc | Application Experience
    AudioEndpointBuilder | Windows Audio Endpoint Builder
    AudioSrv | Windows Audio
    BFE | Base Filtering Engine
    CryptSvc | Cryptographic Services
    DcomLaunch | DCOM Server Process Launcher
    Dhcp | DHCP Client
    Dnscache | DNS Client
    DPS | Diagnostic Policy Service
    eventlog | Windows Event Log
    EventSystem | COM+ Event System
    FontCache | Windows Font Cache Service
    gpsvc | Group Policy Client
    iphlpsvc | IP Helper
    LanmanServer | Server
    LanmanWorkstation | Workstation
    lmhosts | TCP/IP NetBIOS Helper
    MpsSvc | Windows Firewall
    Netman | Network Connections
    netprofm | Network List Service
    NlaSvc | Network Location Awareness
    nsi | Network Store Interface Service
    PcaSvc | Program Compatibility Assistant Service
    PlugPlay | Plug and Play
    Power | Power
    ProfSvc | User Profile Service
    RpcEptMapper | RPC Endpoint Mapper
    RpcSs | Remote Procedure Call (RPC)
    SamSs | Security Accounts Manager
    Schedule | Task Scheduler
    SENS | System Event Notification Service
    Spooler | Print Spooler
    SysMain | Superfetch
    TrkWks | Distributed Link Tracking Client
    UxSms | Desktop Window Manager Session Manager
    VGAuthService | VMware Alias Manager and Ticket Service
    VMTools | VMware Tools
    WdiServiceHost | Diagnostic Service Host
    WdiSystemHost | Diagnostic System Host
    WinDefend | Windows Defender
    Winmgmt | Windows Management Instrumentation
    wscsvc | Security Center

    Thanks in advance,

    Fanny

    Thursday, July 16, 2020 9:20 AM

All replies

  • Wow this was unexpected.

    Would you happen to have a dump file for this that you could share (will probably be in the C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps folder). If so could you ping me offline at syssite@microsoft.com and I will arrange to collect it from you.

    MarkC(MSFT)

    Thursday, July 16, 2020 10:50 AM
  • Wow this was unexpected.

    Would you happen to have a dump file for this that you could share (will probably be in the C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps folder). If so could you ping me offline at syssite@microsoft.com and I will arrange to collect it from you.

    MarkC(MSFT)

    Thanks for your quick response, Mark, I have a dump file and I sent a mail to you for arranging offline
    Thursday, July 16, 2020 12:29 PM
  • Do we have any news about?
    Wednesday, July 29, 2020 5:40 AM