question

JoeDoe-8386 avatar image
4 Votes"
JoeDoe-8386 asked dstaulcu edited

Sysmon 13.33: Parent Process GUID / Parent Process Image / Parent Process Command Line / Parent Process User in EID1 are empty after a while

Hi guys,
I've seen that after a while the fields Parent Process GUID / Parent Process Image / Parent Process Command Line / Parent Process User are empty for EventID 1. Did somebody has seen this too?

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

rednekSMACKINFOOLZ-7364 avatar image
0 Votes"
rednekSMACKINFOOLZ-7364 answered dstaulcu edited

Well parent user guides will remain empty until u the user or who ever is using Microsoft account wants or needs to set it up u need to simply just finish setting up ur account and go to [parents family management and add ur device and that of whoever u need or want to manage I hope this helps u out idk if I answered uR ? Let me know more

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dstaulcu avatar image dstaulcu ·

I think you need to get more sleep @rednekSMACKINFOOLZ-7364 :)

1 Vote 1 ·
rednekSMACKINFOOLZ-7364 avatar image
0 Votes"
rednekSMACKINFOOLZ-7364 answered

Hope this helps

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoeDoe-8386 avatar image
0 Votes"
JoeDoe-8386 answered JasonDavidson-2776 commented

I shall be more clear.
This happens:
<EventData>
<Data Name='RuleName'>-</Data>
<Data Name='UtcTime'>2022-01-12 18:05:14.616</Data>
<Data Name='ProcessGuid'>{435dd357-185a-61df-b700-00000000a100}</Data>
<Data Name='ProcessId'>912</Data>
<Data Name='Image'>C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.2350_none_56f1682d9915d5e5\TiWorker.exe</Data>
<Data Name='FileVersion'>10.0.17763.2350 (WinBuild.160101.0800)</Data>
<Data Name='Description'>Windows Modules Installer Worker</Data>
<Data Name='Product'>Microsoft® Windows® Operating System</Data>
<Data Name='Company'>Microsoft Corporation</Data>
<Data Name='OriginalFileName'>TiWorker.exe</Data>
<Data Name='CommandLine'>C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.2350_none_56f1682d9915d5e5\TiWorker.exe -Embedding</Data>
<Data Name='CurrentDirectory'>C:\Windows\system32\</Data>
<Data Name='User'>NT AUTHORITY\SYSTEM</Data>
<Data Name='LogonGuid'>REDACTED</Data>
<Data Name='LogonId'>0x3e7</Data>
<Data Name='TerminalSessionId'>0</Data>
<Data Name='IntegrityLevel'>System</Data>
<Data Name='Hashes'>SHA1=94940755A87F080ACD73AC5B340DD517F221286D,MD5=DE4CE740F33964027F5D685B8027F9FF,SHA256=6DB18B4A74B04D1BBC4D60BECF654B47755EF1019F96468CC3D83AF12FF5237C,IMPHASH=DFA5AA6C71EAA48650B69852FC48ECDC</Data>
<Data Name='ParentProcessGuid'>{435dd357-1819-61df-0f00-00000000a100}</Data>
<Data Name='ParentProcessId'>952</Data>
<Data Name='ParentImage'>C:\Windows\System32\svchost.exe</Data>
<Data Name='ParentCommandLine'>C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
<Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data>
</EventData>
</Event>

28 seconds later Sysmon shows no info about parent process. 

 <EventData>
     <Data Name='RuleName'>-</Data>
     <Data Name='UtcTime'>2022-01-12 18:05:42.328</Data>
     <Data Name='ProcessGuid'>{435dd357-1876-61df-da00-00000000a100}</Data>
     <Data Name='ProcessId'>1576</Data>
     <Data Name='Image'>C:\Windows\System32\vdsldr.exe</Data>
     <Data Name='FileVersion'>10.0.17763.1697 (WinBuild.160101.0800)</Data>
     <Data Name='Description'>Virtual Disk Service Loader</Data>
     <Data Name='Product'>Microsoft® Windows® Operating System</Data>
     <Data Name='Company'>Microsoft Corporation</Data>
     <Data Name='OriginalFileName'>vdsldr.exe</Data>
     <Data Name='CommandLine'>C:\Windows\System32\vdsldr.exe -Embedding</Data>
     <Data Name='CurrentDirectory'>C:\Windows\system32\</Data>
     <Data Name='User'>NT AUTHORITY\SYSTEM</Data>
     <Data Name='LogonGuid'>REDACTED</Data>
     <Data Name='LogonId'>0x3e7</Data>
     <Data Name='TerminalSessionId'>0</Data>
     <Data Name='IntegrityLevel'>System</Data>
     <Data Name='Hashes'>SHA1=5100C0EFC325E646A8D2833E92A4684F6FDFCC39,MD5=8BD17DB41AEF4D9C005BD8488897D859,SHA256=CA51BEC400924928E2A5946FF3AF89F26B3BB4C3F0087FCE45903AF290EA16B7,IMPHASH=C25737B6F6D492CDA69D7F8126F4755B</Data>
     <Data Name='ParentProcessGuid'>{00000000-0000-0000-0000-000000000000}</Data>
     <Data Name='ParentProcessId'>952</Data>
     <Data Name='ParentImage'>-</Data>
     <Data Name='ParentCommandLine'>-</Data>
     <Data Name='ParentUser'>-</Data>
 </EventData>

</Event>

So, on the same host 28 seconds later Sysmon has no clue what the parent process is. And from this time parent process is empty.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonDavidson-2776 avatar image JasonDavidson-2776 ·

Seeing some of the same behavior with Sysmon v13.31 - ParentProcessGuid all 0's, ParentImage, and ParentCommandLin is a - (hyphen).

In the process of upgrading from 8.x to 13.31 and the the pilot machines are producing that on some of the EID 1 events.

2 Votes 2 ·
JoeDoe-8386 avatar image JoeDoe-8386 JasonDavidson-2776 ·

The only pattern I've seen that it seems only long running parent processes affected like svchost.exe.

0 Votes 0 ·
JasonDavidson-2776 avatar image JasonDavidson-2776 JoeDoe-8386 ·

II thought maybe I was only seeing the issue with svchost, but after an hour of installing the latest version (13.33) I saw the this same issue with C:\Windows\servicing\TrustedInstaller.exe. The problem with svchost not having a Parent Image, Parent Command Line, or Parent GUID is it sets off "Abnormal Parent-child process" alarms. And given this issue, I won't be rolling v13.3x into production.

0 Votes 0 ·
JanLinhart-5017 avatar image
0 Votes"
JanLinhart-5017 answered dstaulcu edited

Im experiencing exactly same issue in version 13.33 (no parent.name while there is parent.PID, usually this is with processes such as "services.exe" or svchost.exe)

DO we know whether this problem was resolved in v13.34?

btw, is there any log/data on what is new/fixed in sysmon versions?

many thanks

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JasonDavidson-2776 avatar image JasonDavidson-2776 ·

Didn't realize 13.34 was out, I'll try deploying it to my test systems to see if the issue has been resolved.

Thanks,

-Jason D.

0 Votes 0 ·
JasonDavidson-2776 avatar image JasonDavidson-2776 JasonDavidson-2776 ·

After install of v13.34 I'm still seeing "-" in both ParentImage, and ParentCommandLine, in additional to "{00000000-0000-0000-0000-000000000000}" in the ParentProcessGuid for powershell.exe and svchost.exe. I've only installed on a single machine so far but will be keeping an eye on it for now. For now the issue still seems to be present in v13.34.

Thanks,

-Jason D.

0 Votes 0 ·
JasonDavidson-2776 avatar image JasonDavidson-2776 JasonDavidson-2776 ·

...also seeing "-" in ParentUser

0 Votes 0 ·
Show more comments