question

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 asked MichaelN-3711 edited

Running Sysmon in debug mode (Sysmon v13.02)

I'm learning Sysmon and recently read there is an (undocumented) debug mode.

Unfortunately, I'm unable to get it working. This is the result when I try to start
Sysmon in debug mode. Thousands of error messages scrolls passed until I press
CTRL-C. What am I doing wrong?

 D:\Documents\PRIVATE\Data\Sysmon_Work_Area>sysmon64.exe -t -i ProcessCreate_OriginalFileName_Test.xml
    
 System Monitor v13.02 - System activity monitor
 Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
 Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
 Sysinternals - www.sysinternals.com
    
 Detected configuration file has BOM
 Detected configuration file format is single-width character set
 Loading configuration file with schema version 4.50
 Configuration file validated.
 SysmonDrv installed.
 [R] No global rule or pre-filtered for 16
 Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
         UtcTime: 2021-04-15 15:02:52.675
         Configuration: D:\Documents\PRIVATE\Data\Sysmon_Work_Area\ProcessCreate_OriginalFileName_Test.xml
         ConfigurationFileHash: SHA256=01B1060F20197C15B4B39DD55F6B22DCFBBBB93A1D4DA235679C776B04C96A4B
 Starting SysmonDrv.
 SysmonDrv started.
 [R] No global rule or pre-filtered for 4
 Event SYSMONEVENT_SERVICE_STATE_CHANGE
         UtcTime: 2021-04-15 15:02:52.740
         State: Started
         Version: 13.02
         SchemaVersion: 4.50
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
    
 <...removed thousands or similar lines...>
    
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
 [R] No global rule or pre-filtered for 4
 PROCESS_CACHE_REQUEST failed with 87
 Event SYSMONEVENT_SERVICE_STATE_CHANGE
         UtcTime: 2021-04-15 15:02:54.675
         State: Stopped
         Version: 13.02
         SchemaVersion: 4.50
 PROCESS_CACHE_REQUEST failed with 87
 PROCESS_CACHE_REQUEST failed with 87
    
 D:\Documents\PRIVATE\Data\Sysmon_Work_Area>
windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MichaelN-3711 avatar image
0 Votes"
MichaelN-3711 answered MichaelN-3711 edited

If anyone is interested, the syntax for debug mode (as shown above) seems to work just fine in the new v13.10 version.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.