SysMon 13.24 crashing on app run with Visual Studio 2019

Penning, Nicholas 141 Reputation points
2021-09-02T21:07:24.127+00:00

Hello, we have confirmed that there is an interoperability issue with Visual Studio Code 2019 and SysMon 13.24 when trying to run an application.

This causes a Blue Screen and can corrupt a project in Visual Studio Code. The current work around is to remove SysMon. We don't know what other version this affects as these users don't have time to test.

I have seen some similar issues on older posts but was wondering if others are seeing this problem and how we can address it. This is happening on more than 1 system so it is more of a wide spread issue.

Here is a recent post as well that address this problem: https://learn.microsoft.com/en-us/answers/questions/511948/bsod-driver-overran-stack-buffer-when-attaching-to.html

This is a much older post with the same Failure ID hash so maybe not as relevant: https://social.technet.microsoft.com/Forums/en-US/64857333-cf8e-47ab-b638-4370ae4e4fce/sysmon-1111-bsod-on-laptops?forum=miscutils

Debugging Details:

------------------

KEY_VALUES_STRING: 1 

Key  : Analysis.CPU.mSec  
Value: 4593  

Key  : Analysis.DebugAnalysisManager  
Value: Create  

Key  : Analysis.Elapsed.mSec  
Value: 14312  

Key  : Analysis.Init.CPU.mSec  
Value: 437  

Key  : Analysis.Init.Elapsed.mSec  
Value: 6108  

Key  : Analysis.Memory.CommitPeak.Mb  
Value: 77  

Key  : WER.OS.Branch  
Value: vb_release  

Key  : WER.OS.Timestamp  
Value: 2019-12-06T14:06:00Z  

Key  : WER.OS.Version  
Value: 10.0.19041.1

BUGCHECK_CODE: f7

BUGCHECK_P1: ff96a4d06874eab0

BUGCHECK_P2: f8077ce3f0c0

BUGCHECK_P3: ffff07f8831c0f3f

BUGCHECK_P4: 0

SECURITY_COOKIE: Expected 0000f8077ce3f0c0 found ff96a4d06874eab0

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: devenv.exe

STACK_TEXT:
ffffa48a685cea38 fffff8077ce21056 : 00000000000000f7 ff96a4d06874eab0 0000f8077ce3f0c0 ffff07f8831c0f3f : nt!KeBugCheckEx
ffffa48a685cea40 00000000000000f7 : ff96a4d06874eab0 0000f8077ce3f0c0 ffff07f8831c0f3f 0000000000000000 : SysmonDrv+0x1056
ffffa48a685cea48 ff96a4d06874eab0 : 0000f8077ce3f0c0 ffff07f8831c0f3f 0000000000000000 0100000000100000 : 0xf7
ffffa48a685cea50 0000f8077ce3f0c0 : ffff07f8831c0f3f 0000000000000000 0100000000100000 ffff8009fb5bf620 : 0xff96a4d06874eab0 ffffa48a685cea58 ffff07f8831c0f3f : 0000000000000000 0100000000100000 ffff8009fb5bf620 fffff8077ce285e8 : 0x0000f8077ce3f0c0
ffffa48a685cea60 0000000000000000 : 0100000000100000 ffff8009fb5bf620 fffff8077ce285e8 0000000000000001 : 0xffff07f8`831c0f3f

SYMBOL_NAME: SysmonDrv+1056

MODULE_NAME: SysmonDrv

IMAGE_NAME: SysmonDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1056

FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_SysmonDrv!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {bfcd09b2-c8e3-6711-5ab4-bb081f1f34f2}

Followup: MachineOwner

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments

11 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. csinagra 21 Reputation points
    2021-09-08T18:49:06.393+00:00

    Hi, Experiencing the same issue here with debugging in VS2019Pro version 16.11.1. The only workaround is to uninstall Sysmon in order to successfully debug. Not ideal so hoping you could find a fix.

    2 people found this answer helpful.
    0 comments
  2. Elle T 11 Reputation points
    2021-09-09T08:23:37.557+00:00

    Also an issue for us. Any updates on this thread? Thanks!

    2 people found this answer helpful.
    0 comments
  3. Devin McLean 11 Reputation points
    2021-09-27T19:12:51.7+00:00

    I was able to reproduce on a Win10 eval hyper-v VM. Using vs2019 community edition and a blank WPF project, sysmon 13.24's blank configuration provided by PenningNicholas-9994 above crashed the VM.

    2 people found this answer helpful.
    0 comments
  4. Penning, Nicholas 141 Reputation points
    2021-09-03T16:45:22.823+00:00

    After further review, it appears that even when no rules are configured, SysMon will still crash the system. Example config:

    <Sysmon schemaversion="4.70">
    <HashAlgorithms>*</HashAlgorithms>
    <!-- This now also determines the file names of the files preserved (String) -->
    <CheckRevocation />
    <DnsLookup>False</DnsLookup>
    <!-- Disables lookup behavior, default is True (Boolean) -->
    <ArchiveDirectory>Sysmon</ArchiveDirectory>
    <!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
    <CaptureClipboard />
    <!--This enables capturing the Clipboard changes-->
    <EventFiltering>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 1 == Process Creation. -->
    <ProcessCreate onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 2 == File Creation Time. -->
    <FileCreateTime onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 3 == Network Connection. -->
    <NetworkConnect onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 5 == Process Terminated. -->
    <ProcessTerminate onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 6 == Driver Loaded. -->
    <DriverLoad onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 7 == Image Loaded. -->
    <ImageLoad onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 8 == CreateRemoteThread. -->
    <!--Default to log all and exclude a few common processes-->
    <CreateRemoteThread onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 9 == RawAccessRead. -->
    <RawAccessRead onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 10 == ProcessAccess. -->
    <ProcessAccess onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 11 == FileCreate. -->
    <FileCreate onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
    <RegistryEvent onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 15 == FileStream Created. -->
    <FileCreateStreamHash onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
    <PipeEvent onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity -->
    <WmiEvent onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 22 == DNS Queries and their results-->
    <!--Default to log all and exclude a few common processes-->
    <DnsQuery onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 23 == File Delete and overwrite events-->
    <FileDelete onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 24 == Clipboard change events, only captures text, not files -->
    <!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
    <ClipboardChange onmatch="include" />
    </RuleGroup>
    <RuleGroup name="" groupRelation="or">
    <!-- Event ID 25 == Process tampering events -->
    <ProcessTampering onmatch="include" />
    </RuleGroup>

    </EventFiltering>
    </Sysmon>

    1 person found this answer helpful.
    0 comments