This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 49%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hello,
I am running into a bit of an issue and I can't find anymore information regarding it.
We have no more use for Sysmon on our network and I am working through uninstalling it from our Windows 10 devices.
After uninstalling v15.14 with the recommended steps (including -u, deleting the service reg keys, and deleting the actual objects in the windows folder) it is gone for about 30-40 minutes until I notice that sysmon has returned only its version 9.01. And after uninstalling that it just keeps reappearing every so often.
I looked in event viewer for any installation history happening after my uninstall and I can see the following
Event ID: 7045 A service was installed in the system. Service Name: Sysmon Service File Name: C:\windows\Sysmon.exe Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem
I can see the same for sysmondrv.sys as well as Event ID 6 for the service registering with Filter Manager.
I should say, v9.01 was the old version before I upgraded to v15.14. Is there some sort of remnant files or services I am missing to delete from my old version? Why does this version of Sysmon keep reappearing even after a "scorched-earth" uninstall?
I have already looked at our policies applied to these workstations and to scheduled tasks as well as SCCM and I cannot find this version of sysmon pushing to machines, it just reappears on them for some reason, am I crazy or has this behavior been documented?
Run Process Monitor and set a filter for "Path contains sysmon.exe". Also in the filter entries, uncheck the entry for "Process name is system (Exclude)". That should lead you to the process that is reinstalling it.
Double click any event that it catches and in the Process tab, check the program and the command line that it was launched with. Also note the parent PID and see what that program is.
Using Procmon.exe to look through it now. Good tip.
Managed to find a path that it was reaching to at a central domain location, it does look like its a CCM script that is scheduled for some reason. Still have to find which one it is. ".old" the file and folder on the domain which it sits so it shouldn't install anymore. I appreciate the help!
Run Process Monitor and set a filter for "Path contains sysmon.exe". Also in the filter entries, uncheck the entry for "Process name is system (Exclude)". That should lead you to the process that is reinstalling it. Double click any event that it catches and in the Process tab, check the program and the command line that it was launched with. Also note the parent PID and see what that program is.
Thanks so much. Found in Procmon.exe there was a CCM script somewhere that was calling to sysmon.exe in a central location, ".olded" it and I am looking for the script now. I appreciate the help!