KurtLin-6161 avatar image
0 Votes"
KurtLin-6161 asked dstaulcu commented

Sysmon v10.41 creates duplicate event 1 when WSL is enabled.


Before I enable wsl1 in my Windows10 host, Sysmon logs event 1 properly. For example, if I open a snipping tool, Sysmon will log a process creation event for it just like the following figure
(The three colums are winlog.event_data.Image , winlog.event_data.CommandLine and winlog.event_data.UtcTime respectively):

After I enable the WSL1 feature, the same snipping tool opening will cause duplicate Sysmon event 1 with different CommandLine but at exactly the same time:

Every process creation after wsl1 enabled will cause duplicate Sysmon event 1. The only difference between duplicate events in a single process creation is the CommandLine field, which looks random or meaningless.

Does anyone have any ideas?
Thank you.

image.png (11.9 KiB)
image.png (57.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does the same behavior exist with the latest version of sysmon?

0 Votes 0 ·

0 Answers