question

PenningNicholas-9994 avatar image
6 Votes"
PenningNicholas-9994 asked PenningNicholas-9994 answered

SysMon 13.24 crashing on app run with Visual Studio 2019

Hello, we have confirmed that there is an interoperability issue with Visual Studio Code 2019 and SysMon 13.24 when trying to run an application.

This causes a Blue Screen and can corrupt a project in Visual Studio Code. The current work around is to remove SysMon. We don't know what other version this affects as these users don't have time to test.

I have seen some similar issues on older posts but was wondering if others are seeing this problem and how we can address it. This is happening on more than 1 system so it is more of a wide spread issue.

Here is a recent post as well that address this problem: https://docs.microsoft.com/en-us/answers/questions/511948/bsod-driver-overran-stack-buffer-when-attaching-to.html

This is a much older post with the same Failure ID hash so maybe not as relevant: https://social.technet.microsoft.com/Forums/en-US/64857333-cf8e-47ab-b638-4370ae4e4fce/sysmon-1111-bsod-on-laptops?forum=miscutils

Debugging Details:




KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.mSec
 Value: 4593

 Key  : Analysis.DebugAnalysisManager
 Value: Create

 Key  : Analysis.Elapsed.mSec
 Value: 14312

 Key  : Analysis.Init.CPU.mSec
 Value: 437

 Key  : Analysis.Init.Elapsed.mSec
 Value: 6108

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 77

 Key  : WER.OS.Branch
 Value: vb_release

 Key  : WER.OS.Timestamp
 Value: 2019-12-06T14:06:00Z

 Key  : WER.OS.Version
 Value: 10.0.19041.1


BUGCHECK_CODE: f7

BUGCHECK_P1: ff96a4d06874eab0

BUGCHECK_P2: f8077ce3f0c0

BUGCHECK_P3: ffff07f8831c0f3f

BUGCHECK_P4: 0

SECURITY_COOKIE: Expected 0000f8077ce3f0c0 found ff96a4d06874eab0

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: devenv.exe

STACK_TEXT:
ffffa48a`685cea38 fffff807`7ce21056 : 00000000`000000f7 ff96a4d0`6874eab0 0000f807`7ce3f0c0 ffff07f8`831c0f3f : nt!KeBugCheckEx
ffffa48a`685cea40 00000000`000000f7 : ff96a4d0`6874eab0 0000f807`7ce3f0c0 ffff07f8`831c0f3f 00000000`00000000 : SysmonDrv+0x1056
ffffa48a`685cea48 ff96a4d0`6874eab0 : 0000f807`7ce3f0c0 ffff07f8`831c0f3f 00000000`00000000 01000000`00100000 : 0xf7
ffffa48a`685cea50 0000f807`7ce3f0c0 : ffff07f8`831c0f3f 00000000`00000000 01000000`00100000 ffff8009`fb5bf620 : 0xff96a4d0`6874eab0
ffffa48a`685cea58 ffff07f8`831c0f3f : 00000000`00000000 01000000`00100000 ffff8009`fb5bf620 fffff807`7ce285e8 : 0x0000f807`7ce3f0c0
ffffa48a`685cea60 00000000`00000000 : 01000000`00100000 ffff8009`fb5bf620 fffff807`7ce285e8 00000000`00000001 : 0xffff07f8`831c0f3f


SYMBOL_NAME: SysmonDrv+1056

MODULE_NAME: SysmonDrv

IMAGE_NAME: SysmonDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1056

FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_SysmonDrv!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {bfcd09b2-c8e3-6711-5ab4-bb081f1f34f2}

Followup: MachineOwner

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PenningNicholas-9994 avatar image
0 Votes"
PenningNicholas-9994 answered

I have confirmed that 13.30 has resolved this issue. Thanks all for your input and thanks to those who worked to get this fixed!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PenningNicholas-9994 avatar image
1 Vote"
PenningNicholas-9994 answered PenningNicholas-9994 published

After further review, it appears that even when no rules are configured, SysMon will still crash the system. Example config:

<Sysmon schemaversion="4.70">
<HashAlgorithms>*</HashAlgorithms>
<!-- This now also determines the file names of the files preserved (String) -->
<CheckRevocation />
<DnsLookup>False</DnsLookup>
<!-- Disables lookup behavior, default is True (Boolean) -->
<ArchiveDirectory>Sysmon</ArchiveDirectory>
<!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
<CaptureClipboard />
<!--This enables capturing the Clipboard changes-->
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 5 == Process Terminated. -->
<ProcessTerminate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 6 == Driver Loaded. -->
<DriverLoad onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 7 == Image Loaded. -->
<ImageLoad onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 8 == CreateRemoteThread. -->
<!--Default to log all and exclude a few common processes-->
<CreateRemoteThread onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 9 == RawAccessRead. -->
<RawAccessRead onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 10 == ProcessAccess. -->
<ProcessAccess onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 11 == FileCreate. -->
<FileCreate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 15 == FileStream Created. -->
<FileCreateStreamHash onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity -->
<WmiEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 22 == DNS Queries and their results-->
<!--Default to log all and exclude a few common processes-->
<DnsQuery onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 23 == File Delete and overwrite events-->
<FileDelete onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 24 == Clipboard change events, only captures text, not files -->
<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
<ClipboardChange onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 25 == Process tampering events -->
<ProcessTampering onmatch="include" />
</RuleGroup>

</EventFiltering>
</Sysmon>

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MichaelHanson avatar image
1 Vote"
MichaelHanson answered csinagra-3839 commented

@MarkRussinovich-6559 - Any ideas? We are stuck.

Thanks boss.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Would be great to get an update on this. I even opened a support case and am getting nowhere.

1 Vote 1 ·
PenningNicholas-9994 avatar image
1 Vote"
PenningNicholas-9994 answered PenningNicholas-9994 rolled back

I am tagging @Marc-MSFT as he may have been the one responding to SysMon related forums as well with great feed back.

It seems that asking a question in the old forums redirects us here to a generic docs.microsoft.com site which is super confusing.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

csinagra-3839 avatar image
2 Votes"
csinagra-3839 answered

Hi, Experiencing the same issue here with debugging in VS2019Pro version 16.11.1. The only workaround is to uninstall Sysmon in order to successfully debug. Not ideal so hoping you could find a fix.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ellets avatar image
2 Votes"
ellets answered

Also an issue for us. Any updates on this thread? Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GiannettoMatt-6239 avatar image
1 Vote"
GiannettoMatt-6239 answered GiannettoMatt-6239 published

This has become an issue for us as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DevinMcLean-1930 avatar image
2 Votes"
DevinMcLean-1930 answered DevinMcLean-1930 published

I was able to reproduce on a Win10 eval hyper-v VM. Using vs2019 community edition and a blank WPF project, sysmon 13.24's blank configuration provided by PenningNicholas-9994 above crashed the VM.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

foxmsft avatar image
0 Votes"
foxmsft answered CameronLeNguyen-6276 commented
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Awesome, sounds good!

0 Votes 0 ·
foxmsft avatar image foxmsft PenningNicholas-9994 ·

13.25 coming soon :)

6 Votes 6 ·

@foxmsft has there been any ETA on 13.25 release? We just ran into this issue ourselves but need SysMon running on our machines ASAP so removing it long term isn't viable. Thanks!

0 Votes 0 ·
MD-6444 avatar image
0 Votes"
MD-6444 answered

We've been experiencing this problem as well. It seems to only happen in projects where we are using the Microsoft.Xrm.Sdk. Any project that we use to access CRM via the the sdk causes the BSOD when we attempt to run in VS 2019.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.