Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Miscellaneous Utilities
  New Posts New Posts RSS Feed - SysMon 5.2 - not installing on 2016+secure boot
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

SysMon 5.2 - not installing on 2016+secure boot

 Post Reply Post Reply Page  12>
Author
Message
GregAskew View Drop Down
Newbie
Newbie
Avatar

Joined: 21 January 2015
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregAskew Quote  Post ReplyReply Direct Link To This Post Topic: SysMon 5.2 - not installing on 2016+secure boot
    Posted: 24 November 2016 at 9:54pm
I tried installing SysMon 5.2 on Windows Server 2016 on a Hyper-V guest with Secure Boot enabled and it failed with complaint:

The SysmonDrv service failed to start due to the following error:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


After disabling Secure Boot in the Hyper-V guest settings, the installation succeeded.
Back to Top
MSFT_markc View Drop Down
Newbie
Newbie


Joined: 15 August 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote MSFT_markc Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2016 at 8:29am
Hi Greg
There was an issue on Windows 10 that under some circumstances caused drivers to fail the integrity check when Secure Boot is enabled,  resulting in a BSOD. This issue is described at https://support.microsoft.com/en-us/kb/3194715
 
For the Windows 10 Anniversary edition (RS1) this was modified to detect the condition and fail the load rather than let it continue and bugcheck and since Server 2016 is built on the RS1 codebase I suspect this is the problem you are coming up against.   I believe that this will be fully resolved as part of the next major update though of course that isn't much use to you right now. In the meantime my understanding is that this only occurs when the driver is installed for the first time so one workaround is to disable secure boot, perform the install then re-enable secure boot.
 
Out of interest do you have Windows Defender installed on those machines and does the problem go away if you disable realtime scanning during the install?
 
Regards
 
Mark (MSFT)
 
 
 
 
 
Back to Top
GregAskew View Drop Down
Newbie
Newbie
Avatar

Joined: 21 January 2015
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregAskew Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2016 at 11:28am
Windows Defender is not running on the Windows Server 2016 guest, but it is running on the Windows 10 Hyper-V host. Should I try disabling defender on the host and perform the installation test?
Back to Top
MSFT_markc View Drop Down
Newbie
Newbie


Joined: 15 August 2016
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote MSFT_markc Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2016 at 11:34am
OK thanks for checking - I was specifically interested in the machine that you are installing SYSMON on so I don't think disabling AV on the host will make any difference.
 
The reason I asked was that we know this problem occurs when the driver is first loaded into user space before being loaded into the kernel and when I investigated this, defender was mapping the driver into memory while scanning it. Since this only occurs when the file is laid it only happened when the driver was installed and not when it was subsequently loaded.  Consequently the unanswered question in your environment is why this gets mapped into userspace in the first place. Do you have any other AV products on the guest machine?
Back to Top
GregAskew View Drop Down
Newbie
Newbie
Avatar

Joined: 21 January 2015
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregAskew Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2016 at 12:18pm
No other AV products. It is a recent build of Windows Server 2016 (Evaluation), with:

SQL Server 2016
Office 2013
Visual Studio 2015
Firefox
Notepad++
TortoiseSVN

The Windows Defender features are installed, but the services is set for manual startup and not running, and the "Turn off Windows Defender" group policy setting is enabled.
Back to Top
pscookiemonster View Drop Down
Newbie
Newbie


Joined: 11 January 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote pscookiemonster Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2017 at 3:17pm
Ran into the same issue (presumably).  Vanilla Hyper-V guest, defender service is running.
Back to Top
thomasbc-dk View Drop Down
Newbie
Newbie
Avatar

Joined: 10 February 2017
Location: Denmark
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote thomasbc-dk Quote  Post ReplyReply Direct Link To This Post Posted: 10 February 2017 at 11:11am
Ran into this very same issue on our Windows 10 clients, with Anniversary update on, when secure boot is disabled. sysmon installation is possible, but not with secure boot on. then it fails with that exact error.
 
is it sysmon installaton that needs to be tweaked or is it windows?
Back to Top
GeneralKanos View Drop Down
Newbie
Newbie
Avatar

Joined: 15 February 2017
Location: NZ
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote GeneralKanos Quote  Post ReplyReply Direct Link To This Post Posted: 15 February 2017 at 3:07am
I am also unable to install the Sysmon driver on Windows 10 + secureboot.
I am running Win10 Edu v1607.
I have SEP 12.1.6 installed.
Running "sysmon -i -accepteula" gives the error:

Sysmon installed.
SysmonDrv installed.
StartService failed for SysmonDrv:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Failed to start the driver:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Stopping the service failed:
The service has not been started.
SysmonDrv removed.
Stopping the service failed:
The service has not been started.
Sysmon removed.
Back to Top
MagicAndre1981 View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 08 January 2007
Location: Germany
Status: Offline
Points: 3415
Post Options Post Options   Thanks (0) Thanks(0)   Quote MagicAndre1981 Quote  Post ReplyReply Direct Link To This Post Posted: 15 February 2017 at 7:47pm
the symon cert expired. This was reported here some days ago. Wait for an update and try again.
Back to Top
GregAskew View Drop Down
Newbie
Newbie
Avatar

Joined: 21 January 2015
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote GregAskew Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2017 at 4:52pm
I don't think an expired code signing certificate would cause any problems.  Otherwise a ton of applications would break.

If one of the certificate authority certificates that issued the code signing certificate were expired, that would be another matter.
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.