Sysmon 13.33: Parent Process GUID / Parent Process Image / Parent Process Command Line / Parent Process User in EID1 are empty after a while

Joe Doe 156 Reputation points
2022-03-04T09:52:47.97+00:00

Hi guys,
I've seen that after a while the fields Parent Process GUID / Parent Process Image / Parent Process Command Line / Parent Process User are empty for EventID 1. Did somebody has seen this too?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. rednek SMACKINFOOLZ 1 Reputation point
    2022-03-04T14:14:15.123+00:00

    Well parent user guides will remain empty until u the user or who ever is using Microsoft account wants or needs to set it up u need to simply just finish setting up ur account and go to [parents family management and add ur device and that of whoever u need or want to manage I hope this helps u out idk if I answered uR ? Let me know more

  2. rednek SMACKINFOOLZ 1 Reputation point
    2022-03-04T14:18:41.007+00:00

    Hope this helps

    0 comments
  3. heck-gd 21 Reputation points
    2022-11-09T15:46:22.093+00:00

    We're also facing this problem. ParentImage and ParentCommandLine are "-" for processes like svchost.exe. This is severely limiting our monitoring because we validate parent processes in lots of cases.

    So far we ran Sysmon v13.24 which did not have this bug, but that's no longer an option due to CVE-2022-41120. The version that initially had this regression appears to be v13.32 (or possibly v13.30). It would be really great if you could fix it!

    0 comments
  4. Joe Doe 156 Reputation points
    2022-03-04T15:46:46.49+00:00

    I shall be more clear.
    This happens:
    <EventData>
    <Data Name='RuleName'>-</Data>
    <Data Name='UtcTime'>2022-01-12 18:05:14.616</Data>
    <Data Name='ProcessGuid'>{435dd357-185a-61df-b700-00000000a100}</Data>
    <Data Name='ProcessId'>912</Data>
    <Data Name='Image'>C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.2350_none_56f1682d9915d5e5\TiWorker.exe</Data>
    <Data Name='FileVersion'>10.0.17763.2350 (WinBuild.160101.0800)</Data>
    <Data Name='Description'>Windows Modules Installer Worker</Data>
    <Data Name='Product'>Microsoft® Windows® Operating System</Data>
    <Data Name='Company'>Microsoft Corporation</Data>
    <Data Name='OriginalFileName'>TiWorker.exe</Data>
    <Data Name='CommandLine'>C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.2350_none_56f1682d9915d5e5\TiWorker.exe -Embedding</Data>
    <Data Name='CurrentDirectory'>C:\Windows\system32\</Data>
    <Data Name='User'>NT AUTHORITY\SYSTEM</Data>
    <Data Name='LogonGuid'>REDACTED</Data>
    <Data Name='LogonId'>0x3e7</Data>
    <Data Name='TerminalSessionId'>0</Data>
    <Data Name='IntegrityLevel'>System</Data>
    <Data Name='Hashes'>SHA1=94940755A87F080ACD73AC5B340DD517F221286D,MD5=DE4CE740F33964027F5D685B8027F9FF,SHA256=6DB18B4A74B04D1BBC4D60BECF654B47755EF1019F96468CC3D83AF12FF5237C,IMPHASH=DFA5AA6C71EAA48650B69852FC48ECDC</Data>
    <Data Name='ParentProcessGuid'>{435dd357-1819-61df-0f00-00000000a100}</Data>
    <Data Name='ParentProcessId'>952</Data>
    <Data Name='ParentImage'>C:\Windows\System32\svchost.exe</Data>
    <Data Name='ParentCommandLine'>C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
    <Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data>
    </EventData>
    </Event>

    28 seconds later Sysmon shows no info about parent process.

    <EventData>
    <Data Name='RuleName'>-</Data>
    <Data Name='UtcTime'>2022-01-12 18:05:42.328</Data>
    <Data Name='ProcessGuid'>{435dd357-1876-61df-da00-00000000a100}</Data>
    <Data Name='ProcessId'>1576</Data>
    <Data Name='Image'>C:\Windows\System32\vdsldr.exe</Data>
    <Data Name='FileVersion'>10.0.17763.1697 (WinBuild.160101.0800)</Data>
    <Data Name='Description'>Virtual Disk Service Loader</Data>
    <Data Name='Product'>Microsoft® Windows® Operating System</Data>
    <Data Name='Company'>Microsoft Corporation</Data>
    <Data Name='OriginalFileName'>vdsldr.exe</Data>
    <Data Name='CommandLine'>C:\Windows\System32\vdsldr.exe -Embedding</Data>
    <Data Name='CurrentDirectory'>C:\Windows\system32\</Data>
    <Data Name='User'>NT AUTHORITY\SYSTEM</Data>
    <Data Name='LogonGuid'>REDACTED</Data>
    <Data Name='LogonId'>0x3e7</Data>
    <Data Name='TerminalSessionId'>0</Data>
    <Data Name='IntegrityLevel'>System</Data>
    <Data Name='Hashes'>SHA1=5100C0EFC325E646A8D2833E92A4684F6FDFCC39,MD5=8BD17DB41AEF4D9C005BD8488897D859,SHA256=CA51BEC400924928E2A5946FF3AF89F26B3BB4C3F0087FCE45903AF290EA16B7,IMPHASH=C25737B6F6D492CDA69D7F8126F4755B</Data>
    <Data Name='ParentProcessGuid'>{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name='ParentProcessId'>952</Data>
    <Data Name='ParentImage'>-</Data>
    <Data Name='ParentCommandLine'>-</Data>
    <Data Name='ParentUser'>-</Data>
</EventData>

    </Event>

    So, on the same host 28 seconds later Sysmon has no clue what the parent process is. And from this time parent process is empty.

  5. JL 141 Reputation points
    2022-05-17T10:05:49.633+00:00

    Im experiencing exactly same issue in version 13.33 (no parent.name while there is parent.PID, usually this is with processes such as "services.exe" or svchost.exe)

    DO we know whether this problem was resolved in v13.34?

    btw, is there any log/data on what is new/fixed in sysmon versions?

    many thanks