none
Sysmon v8.0 driver failure

    Question

  • Good afternoon,

    I recently started doing some testing with Sysmon V8.0 schema 4.10 and started noticing some driver issues every time I try to update the config. Additionally I started noticing the service stops abruptly once I restart the service it will stop again.

    My testing machine is a Lenovo T450s 64 bit running Windows 10.

    Sysmon is installed and I'm currently seeing logs in my SIEM and event viewer:

    C:\>sysmon -c -n System Monitor v8.00 - System activity monitor Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com Error: Sysmon is not installed. Configuration updated.


    Updating the config:

    C:\>sysmon -c sysmon_config\sysmon_config_v8.xml
    
    
    System Monitor v8.00 - System activity monitor
    Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com
    
    Loading configuration file with schema version 4.10
    Configuration file validated.
    Error: Sysmon is not installed.
    Configuration updated.

    The logs show the config was updated 

    Sysmon config state changed: UtcTime: 2018-08-29 18:41:06.769 Configuration: C:\sysmon_config\sysmon_config_v8.xml ConfigurationFileHash: SHA1=12288C41544A375E3BA13ACF751D402910FB752D

    Checking the service is running:

    C:\>sc query sysmon
    
    SERVICE_NAME: sysmon
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0

    I'm also seeing this error at reboot 

    Error report: UtcTime: 2018-08-29 18:35:25.008 ID: ConfigMonitorThread Description: Failed to send message to the driver to update configuration - Last error: The system cannot find the file specified.
    Any help is greatly appreciate it, thank you!


    • Edited by r33s Wednesday, August 29, 2018 7:00 PM
    Wednesday, August 29, 2018 6:58 PM

Answers

  • Yes there are known issues when running sysmon from c:\windows. So while we work through this issue let's avoid doing that.

    The error you are seeing indicates a failure for the process to open a handle to the driver. It looks like the only reason why the driver would reject this request is if the user running the command doesn't have the SeDebugPrivilege privilege. This would not prevent events from being logged because the sysmon service runs under the local system account.

    Seems unlikely if you're running from an administrator account but worth eliminating the obvious first so could you download AccessChk from https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk and run the following command:

    accesschk64.exe accountname -a * | findstr /i debug

    If it doesn't list SeDebugPrivilege then that's the issue.

    Assuming that your privileges are OK it may be that something has caused the driver to stop responding to open requests. Could you try completely uninstalling sysmon by running the sysmon -u command then re-running sc query sysmondrv and confirming that the driver is no longer installed.

    Once satisfied that neither the driver or the service are installed, could you confirm that both sysmon.exe and sysmondrv.sys were removed from the c:\windows folder.

    Finally could you reinstall sysmon using the sysmon -i  config.xml command and confirm whether or not this worked?

    • Marked as answer by r33s Tuesday, September 11, 2018 5:01 PM
    Wednesday, August 29, 2018 11:39 PM

All replies

  • Sounds like perhaps the driver is in a bad state. I'm wondering whether it failed to unload during the refresh.

    In addition to the sc query sysmon, could you also run sc query sysmondrv and let me know what the results of that were?

    Cheers

    MarkC (MSFT)

    Wednesday, August 29, 2018 9:23 PM
  • MarkC, thank you for your reply.

    C:\>sysmon -c -n
    
    
    System Monitor v8.00 - System activity monitor
    Copyright (C) 2014-2018 Mark Russinovich and Thomas Garnier
    Sysinternals - www.sysinternals.com
    
    Error: Sysmon is not installed.
    Configuration updated.

    double checking the service is till running, which it is:

    C:\>sc query sysmon
    
    SERVICE_NAME: sysmon
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
    And the driver is also looks like its running

    C:\>sc query sysmondrv
    
    SERVICE_NAME: sysmondrv
            TYPE               : 1  KERNEL_DRIVER
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0



    Wednesday, August 29, 2018 10:16 PM
  • I also found this post:

    https://social.technet.microsoft.com/Forums/en-US/af1b0145-1bf2-40ec-990c-3e30dd085c21/sysmon-filter-driver-deployment-bug?forum=miscutils

    I tried deploying Sysmon from various locations and same error.

    Wednesday, August 29, 2018 10:17 PM
  • Yes there are known issues when running sysmon from c:\windows. So while we work through this issue let's avoid doing that.

    The error you are seeing indicates a failure for the process to open a handle to the driver. It looks like the only reason why the driver would reject this request is if the user running the command doesn't have the SeDebugPrivilege privilege. This would not prevent events from being logged because the sysmon service runs under the local system account.

    Seems unlikely if you're running from an administrator account but worth eliminating the obvious first so could you download AccessChk from https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk and run the following command:

    accesschk64.exe accountname -a * | findstr /i debug

    If it doesn't list SeDebugPrivilege then that's the issue.

    Assuming that your privileges are OK it may be that something has caused the driver to stop responding to open requests. Could you try completely uninstalling sysmon by running the sysmon -u command then re-running sc query sysmondrv and confirming that the driver is no longer installed.

    Once satisfied that neither the driver or the service are installed, could you confirm that both sysmon.exe and sysmondrv.sys were removed from the c:\windows folder.

    Finally could you reinstall sysmon using the sysmon -i  config.xml command and confirm whether or not this worked?

    • Marked as answer by r33s Tuesday, September 11, 2018 5:01 PM
    Wednesday, August 29, 2018 11:39 PM
  • Markc,

    Thank you for your response, this solved my issue!!!!

    Do you have any further recommendations on how SeDebugPrivilege should be implemented ?

    For reference: https://answers.splunk.com/answers/624762/how-to-load-vulnerability-data-from-tenable-securi.html


    Monday, September 10, 2018 11:51 PM
  • Glad it helped.

    How you configure this depends on your environment but the default is to assign this to members of the local administrators group only.  If you open the local security policy on your machine (run\secpol.msc) and browse to Localpolicies\User Rights assignments you will see something similar to the following..

    Double clicking on the "Debug Programs" option will let you add groups or users.

    Alternatively you can configure this via group policy. For more information see https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

    MarkC(MSFT)

    Tuesday, September 11, 2018 12:16 AM
  • Hi,

    Could you elaborate a little about the known issues when running sysmon from c:\windows?

    I have been doing it for a while now and it might be related to other issues I have encountered.

    Regards

    Boaz

    Sunday, December 23, 2018 2:52 PM