This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Sysmon: randomly missing processguid and image on some eventid (except 1)

Question
0

Sign in to vote

We found out that for eventid:[3, 11, 12, 13] on several deployments of Sysmon, we have processGUID set to 0 and as a coherent result,`image: unknown process`.

This is not always reproducible and looks to be linked with timing. We found some posts related to the same behavior but for ParentProcess, not the process itself, where parent was stopped and pid reassigned to another process. Could this be the same here? Is this a known issue? We were able to reproduce it with short-lived processed performing network communication for example (but not in a stable manner either).

We have this behavior for several versions of Sysmon, including the latest available to download.

Best regards

Monday, June 15, 2020 2:19 PM

All replies

0

Sign in to vote

Hello

For Sysmon 11.10 we have resolved this issue with events generated by ETW (NetworkConnect and DNS). I am not aware of this issue on registry events or whether this has now been resolved by the 11.10 changes but once Sysmon 11.10 is available if you could confirm whether the issue still persists I can work with you to resolve it if necessary.

Sysmon 11.10 was supposed to be published yesterday so I will chase Mark to see what is going on there. In the meantime if you would like a copy ahead of the publication ping me at syssite@microsoft.com and I can make this available to you.

MarkC(MSFT)

Friday, June 19, 2020 7:57 AM
0

Sign in to vote

Hi Mark,

Thanks for the information. If it's a few days away, we can wait, no problem :)

We'll try to reproduce the issue in lab environment once available but as I saw on another post, it was indeed linked to the load of the CPU so not so easy to test.

Best regards

Monday, June 22, 2020 11:16 AM
0

Sign in to vote

Hi MarkC,

FYI, I have had sysmon running on my MSFT workstation for the past 45 days. I am seeing a lot of "unknown process" for "Data Name of 'Image'" for sysmon event 3 (new network conn). I believe this is due to very short lived processes. Let me know if you need more info.

first@DESKTOP:Debug$ grep "'Image'" sysmon3.txt | wc -l
516351

first@DESKTOP:Debug$ grep "unknown process" sysmon3.txt | wc -l
81370

Version info...

System Monitor v12.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Sunday, November 29, 2020 11:12 PM