question

JoeDoe-8386 avatar image
0 Votes"
JoeDoe-8386 asked JoeDoe-8386 commented

Sysmon 13.01 blocks closing threads

Hi,

We have issues on some Multi-User Server Systems (TerminalServer, Citrix, VDS). Sysmon is blocking closing threads, so processes hang up and user can't connect / logon to the servers.
MS support investigated this issue and confirmed this.

So, I have two questions: If I send you (Sysmon Devs) the Tracking ID, ticket content and the memory dump, can you check why Sysmon is blocking threads?
In addition, the operating team reports that with Sysmon 10.42 they don't have this issue. What have changed between this old version and the latest, which could effect the mentioned issue?

Thanks in advance.

KR

Manuel

windows-sysinternals-sysmon
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hope your "thread" with the devs works out!
Have you by chance narrowed down the event type (process create, imageload, file delete, pipe event, etc.) which is causing the problem?
Recent versions of sysmon had corrections which reduced similar problems with virtual desktop logons when pipeevent logging was enabled. Do you have pipeevent enabled? Does the problem go away when you disable it?

0 Votes 0 ·

Unfortunately I can't narrow it down to a special event type and Ops Team is really ... mad because they had outages. But I will try to disable the pipe event, thanks for the hint.

0 Votes 0 ·

0 Answers