Crash: Sysmon v13.00 + sysmonconfig-export.xml
BeanBagKing opened this issue · comments
When running the latest version of sysmon in conjunction with the config file, the program crashes (e.g. "Sysmon.exe -accepteula -i sysmonconfig-export.xml"). However, when installing it without the config file, it seems to run fine (e.g. "Sysmon.exe -accepteula -i").
The message I receive is the following.
System activity monitor has stopped working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
[Debug] [Close program]
If I run Debug, I get a Visual Studio Just-In-Time Debugger window that informs me that "an unhandled win32 exception occurred in Sysmon.exe"
Unhandled exception at 0x00007FF7E9BB0D53 in Sysmon.exe: An invalid parameter was passed to a function that considers invalid parameters fatal.
I'm afraid I'm not very framiliar with debugging, and I know the above probably isn't very useful, but I hope it helps.
I'm having the same issue, but only on windows server 2012 and 2016. I have not tried on 2019.
Windows 10 will load the config fine. I have not tried on Win7.
sysmon13 does install fine but then loading the config, or installing directly with the config, crashes sysmon. on applying config sysmon does say config is valid.
Issue solved with Sysmon 13.01
Issues seems to be resolved here. I'm not sure if this is the best place to ask, but I have two questions related to new sysmon versions and this config that I'm hoping someone can answer.
-
The current schema version in the config is 4.22, Sysmon is now at 4.5 I believe. Does this have any effect on the functionality of this script? Maybe a better way to ask that is, is 4.22 forward compatible with 4.5, or is 4.5 backwards compatible with 4.22? Outside of these specific versions, does this hold true for all future updates?
-
If there is no configuration set for a particular event (e.g. "Event ID 25: ProcessTampering (Process image change)") in this configuration file, does it default to recording everything related to this event, or nothing related to this event? I would presume everything, but I wanted to make sure.
https://web.archive.org/web/20210729123029/http://download.sysinternals.com/files/sysmon.zip - v13.23 works fine. v13.33 and later crashes on my ws2012r2