Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Miscellaneous Utilities
  New Posts New Posts RSS Feed - Event ID 1 stops logging, Sysmon 6.00/6.01
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Event ID 1 stops logging, Sysmon 6.00/6.01

 Post Reply Post Reply
Author
Message
username872 View Drop Down
Newbie
Newbie


Joined: 14 March 2017
Location: Philadelphia PA
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote username872 Quote  Post ReplyReply Direct Link To This Post Topic: Event ID 1 stops logging, Sysmon 6.00/6.01
    Posted: 14 March 2017 at 10:02pm
Hello,

We recently began piloting a large expansion of Sysmon and are testing v/6.00 and now 6.01 (to see if it fixed the issue), coming from V3.10.

We are testing against both Windows 7 and Windows 10 and recently noticed an issue on Windows 7 workstations.  We are first removing Sysmon 3.10 as well as ensuring the Sysmon.exe and sysmondrv.sys are removed from C:\Windows\.  After the uninstall of the old version we attempt to install 6.00/6.01 with the following parameters:

"Sysmon64.exe -accepteula -i *config filepath here*".  Sysmon appears to successfuly install and validates our config file (we've also tested with defaults to confirm it's not our config causing the issue).  Here's where things are strange... On Windows 10, everything is working perfectly as expected without a hiccup but on Windows 7 machines we now immediately receive a popup informing us that the sysmondrv.sys driver is not digitally signed and therefor unsupported by Windows 7.  The only option at this point is to close the notice and return to the command prompt where Sysmon shows that it is running successfully.  At this time, all events from Sysmon are logging correctly (We are using all events minus Image Loads) and see the data in event viewer and our SIEM accordingly.

The issue is that as soon as the workstation is rebooted, EventID 1 (Process creation) stops logging entirely, both on the host in event viewer and obviously subsequently in our SIEM.  All other event types continue to to log correctly and we see them but creation events are not being generated.  Restarts of the Sysmon service or more reboots of the host do not fix the issue.  If we uninstall Sysmon and reinstall again, the process logging immediately returns but once again stops following a reboot.

Has anyone run into similar issues and if so, have you determined why the sysmondrv.sys driver is no longer signed for Windows 7 but appears to be signed/functioning for Windows 10?  After hours of troubleshooting, our best guess is that this driver is the issue and to be honest it's driving us nuts!

Thanks!
Back to Top
vgeorgieva View Drop Down
Newbie
Newbie
Avatar

Joined: 22 May 2017
Location: Sofia, Bulgaria
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote vgeorgieva Quote  Post ReplyReply Direct Link To This Post Posted: 22 May 2017 at 1:45pm
Hi, 

I'm facing same issue, did you manage to resolve it ?
I've seen that Microsoft has released v6.02.

Thanks!
Back to Top
MSFT_markc View Drop Down
Newbie
Newbie


Joined: 15 August 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote MSFT_markc Quote  Post ReplyReply Direct Link To This Post Posted: 23 May 2017 at 8:57am

I was able to reproduce this issue with 6.01 but have just validated 6.02 on the same machine and this appears to be fine. Could you confirm whether or not this remains an issue in your environment?

 
Regards
 
Mark (MSFT)
Back to Top
Nemo7891 View Drop Down
Newbie
Newbie
Avatar

Joined: 13 July 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Nemo7891 Quote  Post ReplyReply Direct Link To This Post Posted: 13 July 2017 at 1:21pm
Last year we upgraded from 3.10 to 4.12 and experienced a very similar bug. Starting with a very vanilla install that initially appeared to have worked, after a reboot only Event ID 3 (Network Connection) would be logged. This was seen across all systems running 4.12 and as a result we downgraded back to 3.10 and are still running it. Recently though I noticed that on about 2% of our systems running 3.10 we still ONLY see Network Connection events. Others work just fine and a reboot does not solve the problem. Is this related and was it finally fixed in 6.2 or is this something different?
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.