none
Sysmon memory leak

    Question

  • I faced a bug in Sysmon (ver. 7.01 and 7.03) - Sysmon's driver (SysmonDrv.sys) consumes new area in Nonpaged pool memory every time configuration reloads, but driver does not free old area in Nonpaged pool memory. As a result, We can see memory leak. I found this problem on my VM, which had only 4GB RAM and more than 180 uptime days.

    I used this script to reproduce bug:
    $sleep = 0
    $ErrorActionPreference = "SilentlyContinue"
    $iterationPeriod = New-TimeSpan -Seconds 2
    $scriptDuration = New-TimeSpan -Hours 1
    $scriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
    while($scriptStopWatch.ElapsedMilliseconds -le $scriptDuration.TotalMilliseconds)
        {
        if($sleep -gt 0){Start-Sleep -Milliseconds $sleep }
        $iterationStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
        Invoke-Expression 'C:\Windows\Sysmon64.exe -c "C:\Windows\SysmonConfig.xml"' |Out-Null   
        $iterationStopWatch.Stop()
        $iterationTime = $iterationStopWatch.Elapsed
        $sleep = $iterationPeriod.TotalMilliseconds - $iterationTime.TotalMilliseconds
        }
    $scriptStopWatch.Stop()

    SysR is Sysmon driver tag, as you see, it took 252313744 Bytes (240 MBytes)






    Friday, June 1, 2018 6:49 AM

Answers

  • This fix was included in the 8.04 release that I published yesterday. Thanks again for all your help in diagnosing and resolving the issue.

    MarkC(MSFT)

    • Marked as answer by Uncletimmy3 Thursday, December 20, 2018 8:23 AM
    Wednesday, December 19, 2018 5:11 PM

All replies

  • Seeing same - but even without updating the config. 250-300mb is normally hit within a day or two. Some systems we’ve seen 1GB+ from Sysmon...
    • Edited by ManD3vil Tuesday, July 10, 2018 7:57 PM
    Tuesday, July 10, 2018 7:56 PM
  • I sent bug report to sysmonsupport@microsoft.com, Mark Cook answered that they fixed it and publish new version as soon as possible.

    Thanks Mark for your help!

    Friday, December 14, 2018 5:30 AM
  • This fix was included in the 8.04 release that I published yesterday. Thanks again for all your help in diagnosing and resolving the issue.

    MarkC(MSFT)

    • Marked as answer by Uncletimmy3 Thursday, December 20, 2018 8:23 AM
    Wednesday, December 19, 2018 5:11 PM
  • For some system configurations, very high memory consumption by sysmon  is still huge issue.
    In our case it is 4GB after 12days of sysmon uptime and rising. Please see separate topic for details 
    "Sysmon 8.04 memory leakage problem"

    Wednesday, February 13, 2019 8:03 AM
  • Is this in the sysmon process or the system process?

    If it's the system process then please contact me offline at syssite@microsoft.com. If you are seeing this in the Sysmon process though we have resolved this in Sysmon Version 9.0. We spent a lot of time working with customers on this and I am confident that it will resolve your issue so please let me know if it fails to do so.

    MarkC (MSFT)

    Friday, March 1, 2019 6:23 PM