question

francois77 avatar image
0 Votes"
francois77 asked JonnyWiederholm-1470 answered

Windows crashed and restarted by Sysmon Uninstall

My Windows 10 (Version 1909) VM just crashed and restarted when I uninstalled the Sysmon (v13.23).
Very weird as this didn't happened neither on my another Windows 10 (Version 20H2) box nor on Windows Server 2012 R2.

As evidence of crash, following Event IDs were generated after the crash.

I. Event ID 41: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

II. Event ID 6008: The previous system shutdown was unexpected.

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JonnyWiederholm-1470 avatar image
0 Votes"
JonnyWiederholm-1470 answered

It's the same when trying to uninstall Sysmon (all versions since 6.0) on Windows Server 2016 running Credential Guard ... it generates a BSOD. The only workaround is to disable Sysmon, reboot and then uninstall.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.