question

MarkusEgger-5026 avatar image
0 Votes"
MarkusEgger-5026 asked dstaulcu commented

Sysmon 13.01 hangs Windows Server 2008 R2 // What's in 13.02?

Hi there,

I know that they are no longer supported - but have any of you experienced I/O freezes/hangs of Windows Server 2008 R2 when installing the Sysmon64 service? We did that yesterday as part of a 3rd party SIEM suite and all the 2008-R2s were effectively "killed" by that, it takes like forever to log-on und do anything, you may not even be able to invoke run-as from Task Manager and so on. Ressource Monitor shows low CPU and RAM but all I/O-related tabs are blank - no disk I/O, no network I/O shown - like the I/O subsys is completely hung/frozen.
On those systems were I was able to get to the proper CMD and "issued sysmon64 -u force" everything went back to normal.

Now I also wonder what's in 13.02 that has been published yesterday - no release notes to be found yet?

Thanks!

Regards,
Markus

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

diascira-6021 avatar image
0 Votes"
diascira-6021 answered MarkusEgger-5026 commented

We are experiencing the same issue with Sysmon 13.01 (among other issues). I removed Sysmon with sysmon64 -u force, but it took some doing since we couldn't get the servers to complete the logon process. Any ideas what is causing this? We've had a lot of issues with Sysmon 13.01, including workstations failing to logon (excluding all Registry events from sysmon config seemed to help with that), and also had Server 2016 issues where RDP was failing, no idea why at this point. Anyone found workarounds for these issues?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your feedback! We had profile loading issues on RemoteApp servers in Outlook so I proactively uninstalled the sysmon service on my RD session hosts - one of them bluescreening while running the sysmon64 -u. Now this is a good question of cause and effect I cannot clearly answer - probably the bad Outlooks were on the bad server but was the server bad because of the sysmon 13.01 install previously or not?
We only do this currently on servers for a SIEM PoC so I cannot comment on workstation issues and such.

0 Votes 0 ·
foxmsft avatar image
0 Votes"
foxmsft answered dstaulcu commented

I have tested on Windows 7 and made some improvements in 13.02 - please let me know whether Sysmon is more reliable now.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks a lot for your effort and quick feedback - I need some more testing but at a first glance this looks much better on non-critical/test server.
A quick test using snapshots showed that 13.01 could hang the 2008 R2 almost instantly whereas 13.02 except a short CPU/processing spike seems to have done nothing bad to the server. Want to let it run overnight.

0 Votes 0 ·
dstaulcu avatar image dstaulcu MarkusEgger-5026 ·

This is great to hear!

0 Votes 0 ·