Hi, We identified that when enabling FileDelete rules on Win2008 R2, Sysmon.exe encounter an error and made the system almost unresponsive. In some extreme case, Sysmon cannot be uninstalled without restarting in safe mode. The following configuration has been tested on an up to date 2008R2 with Sysmon 12.03: <Sysmon schemaversion="4.40"> <EventFiltering>  <RuleGroup name="" groupRelation="or"> <FileDelete onmatch="include"> <TargetFilename condition="is">C:\Windows\temp\DELETEME.txt</TargetFilename> </FileDelete> </RuleGroup> </EventFiltering> </Sysmon> When launching an app, iexplore.exe for example, an Application Error log is created for Sysmon: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-11-30T10:35:11.000000000Z" /> <EventRecordID>889</EventRecordID> <Channel>Application</Channel> <Computer>WIN-0I5EAUBRCFP</Computer> <Security /> </System> <EventData> <Data>Sysmon64_12.03.exe</Data> <Data>12.0.3.0</Data> <Data>5fbbe1ab</Data> <Data>KERNELBASE.dll</Data> <Data>6.1.7601.24545</Data> <Data>5e0eb6bd</Data> <Data>c0000005</Data> <Data>000000000000c4d2</Data> <Data>6bc</Data> <Data>01d6c70475c65a43</Data> <Data>C:\Windows\Sysmon64_12.03.exe</Data> <Data>C:\Windows\system32\KERNELBASE.dll</Data> <Data>b8c26047-32f7-11eb-ac4b-08002796838c</Data> </EventData> </Event> Our workaround is to completely remove rules related to FileDelete event at the moment, but this is an unsatisfactory solution. Many thanks in advance for your help.

The issue seems to be fixed with the 13.02 release.

Sysmon 12.03 - FileDelete rules on Win2008 R2 cause Sysmon to crash

M3lon 26

Hi,

We identified that when enabling FileDelete rules on Win2008 R2, Sysmon.exe encounter an error and made the system almost unresponsive. In some extreme case, Sysmon cannot be uninstalled without restarting in safe mode.

The following configuration has been tested on an up to date 2008R2 with Sysmon 12.03:
<Sysmon schemaversion="4.40">
<EventFiltering>

<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
<TargetFilename condition="is">C:\Windows\temp\DELETEME.txt</TargetFilename>
</FileDelete>
</RuleGroup>
</EventFiltering>
</Sysmon>

When launching an app, iexplore.exe for example, an Application Error log is created for Sysmon:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-11-30T10:35:11.000000000Z" />
<EventRecordID>889</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-0I5EAUBRCFP</Computer>
<Security />
</System>
<EventData>
<Data>Sysmon64_12.03.exe</Data>
<Data>12.0.3.0</Data>
<Data>5fbbe1ab</Data>
<Data>KERNELBASE.dll</Data>
<Data>6.1.7601.24545</Data>
<Data>5e0eb6bd</Data>
<Data>c0000005</Data>
<Data>000000000000c4d2</Data>
<Data>6bc</Data>
<Data>01d6c70475c65a43</Data>
<Data>C:\Windows\Sysmon64_12.03.exe</Data>
<Data>C:\Windows\system32\KERNELBASE.dll</Data>
<Data>b8c26047-32f7-11eb-ac4b-08002796838c</Data>
</EventData>
</Event>

Our workaround is to completely remove rules related to FileDelete event at the moment, but this is an unsatisfactory solution.
Many thanks in advance for your help.

dstaulcu 351 Reputation points

2020-12-31T03:22:02.19+00:00

Hi @M3lon

Despite knowledge that Windows Server 2008 R2 went end of life on 1/14/2020, out of curiosity, I went ahead and provisioned a VM to see if I could reproduce the problem.

With a fully patched server and sysmon v12.3 running default configurations, everything seems fine. However, after importing a sysmon configuration having only FileDelete enabled (exclude nothing), sysmon crashes on configuration list (sysmon -c) and the platform destabilizes with sysmon commands thereafter, even across reboots.

Given that this happens on a virtual machine, I imagine it impacts all windows server 2008 R2 instances equally. In fact, the problem exists on Windows 7 too.

Thanks for bringing this issue to the attention of others so that we know to avoid deploying a config having the FileDelete eventtype enabled to any remaining end of life hosts.

1 answer

M3lon 26 Reputation points

2021-03-26T12:41:24.327+00:00

The issue seems to be fixed with the 13.02 release.
Please sign in to rate this answer.
rednek SMACKINFOOLZ 1 Reputation point

2022-03-04T14:31:32.08+00:00

PS4 and Xbox one both are different yes but y is their Bluetooth different from regular Bluetooth idk but if only PS4 and Xbox just worked together along with Nintendo and other devices all in one it would eliminate the possibility 6thr systems software ;ess likely to get corrupted if powered died or goes out idk but there's just no simple way of getting by this idk also nsa yuba city CA 95901 I'm New here but can be good for anyone who wants to throw themselves right into submission 5303158790ponee
Sign in to comment