I'm learning Sysmon and recently read there is an (undocumented) debug mode.
Unfortunately, I'm unable to get it working. This is the result when I try to start
Sysmon in debug mode. Thousands of error messages scrolls passed until I press
CTRL-C. What am I doing wrong?
D:\Documents\PRIVATE\Data\Sysmon_Work_Area>sysmon64.exe -t -i ProcessCreate_OriginalFileName_Test.xml
System Monitor v13.02 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Detected configuration file has BOM
Detected configuration file format is single-width character set
Loading configuration file with schema version 4.50
Configuration file validated.
SysmonDrv installed.
[R] No global rule or pre-filtered for 16
Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
UtcTime: 2021-04-15 15:02:52.675
Configuration: D:\Documents\PRIVATE\Data\Sysmon_Work_Area\ProcessCreate_OriginalFileName_Test.xml
ConfigurationFileHash: SHA256=01B1060F20197C15B4B39DD55F6B22DCFBBBB93A1D4DA235679C776B04C96A4B
Starting SysmonDrv.
SysmonDrv started.
[R] No global rule or pre-filtered for 4
Event SYSMONEVENT_SERVICE_STATE_CHANGE
UtcTime: 2021-04-15 15:02:52.740
State: Started
Version: 13.02
SchemaVersion: 4.50
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
<...removed thousands or similar lines...>
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
[R] No global rule or pre-filtered for 4
PROCESS_CACHE_REQUEST failed with 87
Event SYSMONEVENT_SERVICE_STATE_CHANGE
UtcTime: 2021-04-15 15:02:54.675
State: Stopped
Version: 13.02
SchemaVersion: 4.50
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
D:\Documents\PRIVATE\Data\Sysmon_Work_Area>