Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Miscellaneous Utilities
  New Posts New Posts RSS Feed - Sysmon login loop
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Sysmon login loop

 Post Reply Post Reply
Author
Message
Geriden View Drop Down
Newbie
Newbie


Joined: 12 September 2017
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Geriden Quote  Post ReplyReply Direct Link To This Post Topic: Sysmon login loop
    Posted: 12 September 2017 at 2:33pm
Hi guys,

Running Windows 7 Professional, and having repeated issues with getting sysmon to work properly.

sysmon installs and sets up fine, however if i shut the computer down or lock the workstation, i am unable to login again, it'll stay looping on "Welcome"

the only way to fix it is by booting into safe mode and uninstalling sysmon

I've tried adding sysmon.exe to exclusions list of Sophos, still no luck.

Any suggestions?
Back to Top
Geriden View Drop Down
Newbie
Newbie


Joined: 12 September 2017
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Geriden Quote  Post ReplyReply Direct Link To This Post Posted: 13 September 2017 at 1:53pm
Upon further investigation, the issue seems to be related to Event ID 7 ImageLoad.

After removing the entire ImageLoad section from config.xml it seems to work fine, and i cannot re-create the fault. After adding the ImageLoad lines back in, the problem comes back and i'm unable to login after computer restart or log out.

So with that in mind - anybody have any ideas?

NOTE: I'm using a modified version of https://github.com/SwiftOnSecurity/sysmon-config


Back to Top
Geriden View Drop Down
Newbie
Newbie


Joined: 12 September 2017
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Geriden Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2017 at 8:56am
In case anybody is interested or experiencing the same issue, i've been offered a fix from "SwiftOnSecurtiy" that seems to have done the trick.

I've edited my config.xml <Sysmon schemaversion="3.30"> and changed the value to 3.40
Re-inserted the <ImageLoad> parameters and all is working well :)

I'll post back here if anything changes but all has been well for the past day.
Back to Top
Geriden View Drop Down
Newbie
Newbie


Joined: 12 September 2017
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote Geriden Quote  Post ReplyReply Direct Link To This Post Posted: Yesterday at 12:04pm
After a week or so of testing im afraid the issue has returned :(

Back to the drawing board.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.