question

TomBradyIsTheGOAT-5974 avatar image
0 Votes"
TomBradyIsTheGOAT-5974 asked TomBradyIsTheGOAT-5974 answered

Can't install latest sysmon on Windows 2012

No matter what, whenever I try to install sysmon64 using the command sysmon64.exe -i config.xml (using swift on security), from powershell or command prompt, logged in as admin and elevated (Not running as SYSTEM), it crashes with the following error. It doesn't seem to be a problem with my NGAV or EDR as nothing is logged and it works on newer versions of Windows Server.

Problem signature:
Problem Event Name: APPCRASH
Application Name: Sysmon64.exe
Application Version: 13.33.0.0
Application Timestamp: 620d7234
Fault Module Name: Sysmon64.exe
Fault Module Version: 13.33.0.0
Fault Module Timestamp: 620d7234
Exception Code: c0000005
Exception Offset: 00000000000a000d
OS Version: 6.3.9600.2.0.0.400.8
Locale ID: 1033
Additional Information 1: 077e
Additional Information 2: 077ea872e37c0bed723e6c91da1f40c1
Additional Information 3: 6f09
Additional Information 4: 6f09d1b41df8f0fbfa7b6992481611ed

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=280262

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

windows-sysinternals-sysmon
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

TKujala avatar image
0 Votes"
TKujala answered

Hi @TomBradyIsTheGOAT-5974,

Probably, it is a bug.

Is there an older version of the software is installed and you have uninstalled it?


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TomBradyIsTheGOAT-5974 avatar image
0 Votes"
TomBradyIsTheGOAT-5974 answered

There is not an older version. This is a first time roll-out of the product, while we roll out our SIEM. I will admit I haven't searched but I will try and look to see if there is an official archive for the product, so I can try and older version.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TomBradyIsTheGOAT-5974 avatar image
0 Votes"
TomBradyIsTheGOAT-5974 answered

I just tried the last 13.24 release. So pre 13.30 and still the same error. Basically I narrowed it down to not being able to install on Windows 2012 R2, no matter what 13.x version (haven't tried pre 13). I tested on a multiple VMware instances with the same issue. Tested on a "pizza box" straight install of Windows 2012 R2 we have and everything went fine. So it is something about our 2012 build. We have two VMware sites so I am going to see if I can narrow it down to an image at one site.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.