locked
Sysmon -u causes BSOD if HVCI is enabled by GPO RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi there

    Sysmon is causing a BSOD after uninstalling it and HVCI ist activated. (same behavior with version 11.11 and 12.01)

    This happens on windows server 2016 only (in our environment). Server 2019 does not have this problem.

    There is already a case opened with MS support (SR 120100822002773).

    Thanks for your Answer.


    • Edited by wels Tuesday, November 17, 2020 9:00 AM
    Tuesday, November 17, 2020 8:59 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    That's terrifying. 
    Can you easily reproduce the problem?
    Have you tried narrowing the problem to a particular component of sysmon?   For instance, does the BSOD occur with sysmon installed but with config having no collection or default collection levels enabled?  


    • Edited by dstaulcu Wednesday, November 18, 2020 2:55 PM
    Wednesday, November 18, 2020 2:42 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I've just installed Sysmon with no further config. After the reboot (after uninstalling sysmon) it seems that the sysmon.drv cannot be deleted and after a few seconds causes the bsod. 

    As I said, the problem for now occurs only for windows server 2016. Server 2019 ist not affected (with the same HVCI policy enabled) When I completely remove the HVCI policy (disable policy an cleanup tattooing settings with the powershell script), there is no problem either.

    Friday, November 20, 2020 6:01 PM