Sysmon 13.01 hangs Windows Server 2008 R2 // What's in 13.02?

Markus Egger 1 Reputation point
2021-03-24T10:08:21.973+00:00

Hi there,

I know that they are no longer supported - but have any of you experienced I/O freezes/hangs of Windows Server 2008 R2 when installing the Sysmon64 service? We did that yesterday as part of a 3rd party SIEM suite and all the 2008-R2s were effectively "killed" by that, it takes like forever to log-on und do anything, you may not even be able to invoke run-as from Task Manager and so on. Ressource Monitor shows low CPU and RAM but all I/O-related tabs are blank - no disk I/O, no network I/O shown - like the I/O subsys is completely hung/frozen.
On those systems were I was able to get to the proper CMD and "issued sysmon64 -u force" everything went back to normal.

Now I also wonder what's in 13.02 that has been published yesterday - no release notes to be found yet?

Thanks!

Regards,
Markus

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,087 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. diascira 1 Reputation point
    2021-03-24T13:49:47.697+00:00

    We are experiencing the same issue with Sysmon 13.01 (among other issues). I removed Sysmon with sysmon64 -u force, but it took some doing since we couldn't get the servers to complete the logon process. Any ideas what is causing this? We've had a lot of issues with Sysmon 13.01, including workstations failing to logon (excluding all Registry events from sysmon config seemed to help with that), and also had Server 2016 issues where RDP was failing, no idea why at this point. Anyone found workarounds for these issues?

  2. Alex Mihaiuc 716 Reputation points
    2021-03-24T15:40:32.807+00:00

    I have tested on Windows 7 and made some improvements in 13.02 - please let me know whether Sysmon is more reliable now.