I have confirmed that 13.30 has resolved this issue. Thanks all for your input and thanks to those who worked to get this fixed!
SysMon 13.24 crashing on app run with Visual Studio 2019
Hello, we have confirmed that there is an interoperability issue with Visual Studio Code 2019 and SysMon 13.24 when trying to run an application.
This causes a Blue Screen and can corrupt a project in Visual Studio Code. The current work around is to remove SysMon. We don't know what other version this affects as these users don't have time to test.
I have seen some similar issues on older posts but was wondering if others are seeing this problem and how we can address it. This is happening on more than 1 system so it is more of a wide spread issue.
Here is a recent post as well that address this problem: https://learn.microsoft.com/en-us/answers/questions/511948/bsod-driver-overran-stack-buffer-when-attaching-to.html
This is a much older post with the same Failure ID hash so maybe not as relevant: https://social.technet.microsoft.com/Forums/en-US/64857333-cf8e-47ab-b638-4370ae4e4fce/sysmon-1111-bsod-on-laptops?forum=miscutils
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4593
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 14312
Key : Analysis.Init.CPU.mSec
Value: 437
Key : Analysis.Init.Elapsed.mSec
Value: 6108
Key : Analysis.Memory.CommitPeak.Mb
Value: 77
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: f7
BUGCHECK_P1: ff96a4d06874eab0
BUGCHECK_P2: f8077ce3f0c0
BUGCHECK_P3: ffff07f8831c0f3f
BUGCHECK_P4: 0
SECURITY_COOKIE: Expected 0000f8077ce3f0c0 found ff96a4d06874eab0
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: devenv.exe
STACK_TEXT:
ffffa48a685cea38 fffff807
7ce21056 : 00000000000000f7 ff96a4d0
6874eab0 0000f8077ce3f0c0 ffff07f8
831c0f3f : nt!KeBugCheckEx
ffffa48a685cea40 00000000
000000f7 : ff96a4d06874eab0 0000f807
7ce3f0c0 ffff07f8831c0f3f 00000000
00000000 : SysmonDrv+0x1056
ffffa48a685cea48 ff96a4d0
6874eab0 : 0000f8077ce3f0c0 ffff07f8
831c0f3f 0000000000000000 01000000
00100000 : 0xf7
ffffa48a685cea50 0000f807
7ce3f0c0 : ffff07f8831c0f3f 00000000
00000000 0100000000100000 ffff8009
fb5bf620 : 0xff96a4d06874eab0 ffffa48a
685cea58 ffff07f8831c0f3f : 00000000
00000000 0100000000100000 ffff8009
fb5bf620 fffff8077ce285e8 : 0x0000f807
7ce3f0c0
ffffa48a685cea60 00000000
00000000 : 0100000000100000 ffff8009
fb5bf620 fffff8077ce285e8 00000000
00000001 : 0xffff07f8`831c0f3f
SYMBOL_NAME: SysmonDrv+1056
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1056
FAILURE_BUCKET_ID: 0xF7_MISSING_GSFRAME_SysmonDrv!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {bfcd09b2-c8e3-6711-5ab4-bb081f1f34f2}
Followup: MachineOwner
11 additional answers
Sort by: Most helpful
-
csinagra 21 Reputation points
2021-09-08T18:49:06.393+00:00 Hi, Experiencing the same issue here with debugging in VS2019Pro version 16.11.1. The only workaround is to uninstall Sysmon in order to successfully debug. Not ideal so hoping you could find a fix.
-
Elle T 11 Reputation points
2021-09-09T08:23:37.557+00:00 Also an issue for us. Any updates on this thread? Thanks!
-
Devin McLean 11 Reputation points
2021-09-27T19:12:51.7+00:00 I was able to reproduce on a Win10 eval hyper-v VM. Using vs2019 community edition and a blank WPF project, sysmon 13.24's blank configuration provided by PenningNicholas-9994 above crashed the VM.
-
Penning, Nicholas 141 Reputation points
2021-09-03T16:45:22.823+00:00 After further review, it appears that even when no rules are configured, SysMon will still crash the system. Example config:
<Sysmon schemaversion="4.70">
<HashAlgorithms>*</HashAlgorithms>
<!-- This now also determines the file names of the files preserved (String) -->
<CheckRevocation />
<DnsLookup>False</DnsLookup>
<!-- Disables lookup behavior, default is True (Boolean) -->
<ArchiveDirectory>Sysmon</ArchiveDirectory>
<!-- Sets the name of the directory in the C:\ root where preserved files will be saved (String)-->
<CaptureClipboard />
<!--This enables capturing the Clipboard changes-->
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 1 == Process Creation. -->
<ProcessCreate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 2 == File Creation Time. -->
<FileCreateTime onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 3 == Network Connection. -->
<NetworkConnect onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 5 == Process Terminated. -->
<ProcessTerminate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 6 == Driver Loaded. -->
<DriverLoad onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 7 == Image Loaded. -->
<ImageLoad onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 8 == CreateRemoteThread. -->
<!--Default to log all and exclude a few common processes-->
<CreateRemoteThread onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 9 == RawAccessRead. -->
<RawAccessRead onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 10 == ProcessAccess. -->
<ProcessAccess onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 11 == FileCreate. -->
<FileCreate onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed. -->
<RegistryEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 15 == FileStream Created. -->
<FileCreateStreamHash onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected -->
<PipeEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity -->
<WmiEvent onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 22 == DNS Queries and their results-->
<!--Default to log all and exclude a few common processes-->
<DnsQuery onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 23 == File Delete and overwrite events-->
<FileDelete onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 24 == Clipboard change events, only captures text, not files -->
<!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!-->
<ClipboardChange onmatch="include" />
</RuleGroup>
<RuleGroup name="" groupRelation="or">
<!-- Event ID 25 == Process tampering events -->
<ProcessTampering onmatch="include" />
</RuleGroup></EventFiltering>
</Sysmon>