This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 15%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Hello,
After we migrate Sysmon to v15.0, everything works fine as expected, but it is unstoppable. During patching cycles or some other maintenance window, we need to stop Sysmon for a short duration. When we try to stop it through Services with administrative role, it is showing an " Error 5: Access Denied". Is that by design or bug or some other way to stop for a short duration? Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 82%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
If an Admin can easily uninstall Sysmon, why should it not be able to stop/start it? If this is done by design to protect the service from Hackers, then the Hacker still have the posibility to uninstall it (with higher permissions). So for me, it still makes not really sense to protect the Service in that manner..
This is by design. Starting with v15.0, the Sysmon service runs as a protected process and therefore cannot be stopped externally. However, Sysmon can still be uninstalled. Is it feasible to uninstall Sysmon, during maintenance, and reinstall it after?
Hi John,
Thanks for the response. Let me circle back to my Infra team with the recommendations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 90%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
why? What a administrator can do it if service crushing ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 98%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWH%3C/text%3E%3C/svg%3E)
how can you uninstall this? we get an access denied even trying to uninstall it.
I have another ticket question open on V15 as we get this message when it tries to run
The code execution cannot proceed because C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.22621.608_none_fb280a3c7926c2cc\COMCTL32.dll was not found. Reinstalling the program may fix this problem.
Hi, not in all environments does that work. Specially when the installation is scripted. After the uninstall/install. The service does not come up. And in some situations you can't uninstall before you stop the service. So what now?