Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,084 questions
Sysmon not logging Event ID 15 on mapped drives as expected
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 93%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH6%3C/text%3E%3C/svg%3E)
Heidemann-61
1
Reputation point
Having sysmon installed on a client computer (in my case the most recent Windows 10), and having defined event rules for Event ID 15 (FileCreateStreamHash) on the client computer, I found that any download triggers an Event 15 if the download folder is "local" (on a locally attached drive), for example somehow on %systemdrive%, which is what I expected. So, sysmon works.
However, if the download folder resides on a network mapped drive, no Event 15 is logged, at least not on the client computer. For example, if you map Z: on the client computer to \some-fileserver\some-share, then no download will trigger any Event 15 on the client computer if the download is stored in Z:\download.
On the other hand, a sysmon installed on the file server WILL trigger event 15 in that case, but unfortunately is missing valuable information. For example the process id in that event 15 is not the pid of the browser instance on the client, but the file server service instance, the "image" does not identify the browser, it is SYSTEM.
Q: I assume this behaviour is "works as designed"?
Sysinternals
{count} votes
-
Heidemann-61 1 Reputation point
2021-10-04T12:29:54.78+00:00 Because I got no comment nor answer, I think it is "works as designed" that there is no Event ID 15 if the downloaded file is placed on a network drive.
Unfortunately, if the file server is a filer not running with a Microsoft OS (for example netapp) there is no chance to leverage sysmon FileCreateStreamHash. This is what my customer faces in his terminal server / Citrix environments: All user profiles point at least partially to network drives on a netapp filer, especially the download folder does. Thus no sysmon Event 15 when downloading a file.
Is there a way to file a feature request to extend the sysmon capabilities for Event ID 15 with this in mind? I mean, firing an Event ID 15 in sysmon regardless where the file is placed. At the end of the day, it is the client application (browser) which creates a file on a NTFS based file system (on the file server), and the file does carry the MOTW alternate data stream.
Thanks for any suggestions / comments /...
Sign in to comment