Before I enable wsl1 in my Windows10 host, Sysmon logs event 1 properly. For example, if I open a snipping tool, Sysmon will log a process creation event for it just like the following figure
(The three colums are winlog.event_data.Image , winlog.event_data.CommandLine and winlog.event_data.UtcTime respectively):
After I enable the WSL1 feature, the same snipping tool opening will cause duplicate Sysmon event 1 with different CommandLine but at exactly the same time:
Every process creation after wsl1 enabled will cause duplicate Sysmon event 1. The only difference between duplicate events in a single process creation is the CommandLine field, which looks random or meaningless.
Does anyone have any ideas?