Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,095 questions
Sysmon v10.41 creates duplicate event 1 when WSL is enabled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 63%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Kurt Lin
1
Reputation point
Hello,
Before I enable wsl1 in my Windows10 host, Sysmon logs event 1 properly. For example, if I open a snipping tool, Sysmon will log a process creation event for it just like the following figure
(The three colums are winlog.event_data.Image , winlog.event_data.CommandLine and winlog.event_data.UtcTime respectively):
After I enable the WSL1 feature, the same snipping tool opening will cause duplicate Sysmon event 1 with different CommandLine but at exactly the same time:
Every process creation after wsl1 enabled will cause duplicate Sysmon event 1. The only difference between duplicate events in a single process creation is the CommandLine field, which looks random or meaningless.
Does anyone have any ideas?
Thank you.
Sysinternals
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dstaulcu 351 Reputation points2021-10-01T10:26:11.823+00:00 Does the same behavior exist with the latest version of sysmon?
Sign in to comment