This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 56.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Noticed, even with latest sysmon there is a memory leak. Memory keeps on increasing. 100mb in 6 hours since restart. Busier servers seem to increase the memory quicker. Over a week or so goes up over 1gb. 1 server over 30 days went to 4gb memory usage on the sysmon process. Anyone else notice this on 2019 Windows Servers? Some of the servers run some application logging with constant log writing to various log directories. Should we be omitting these directories in sysmon? Running latest sysmon 12.3 version as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 78%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Also, can you take some screenshots using RamMap to show exactly what kind of memory is increasing??
Let's say one screenshot every 3 hours for 4 times to show the increase on 12 hours..
Thanks
-mario
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I'm running a parallel experiment. Over 4 observations:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 25%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
I asked to capture some RamMap screenshots because if by any chance the leaked memory has been transferred to the standby list, then you can "mitigate" the problem releasing it using rammap itself
But in this case it looks like a real memory leak.. so there is nothing else to do that report it as a bug and wait for a fix..
Thanks
-mario
I've reported the FileDelete oriented leak and it sounds like a fix is on the way.
I am curious to hear back from @azr and to learn whether FileDelete monitoring is enabled on problematic hosts. As a workaround, the impact of the leak can be avoided on sysmon versions 12.1, 12.2, and 12.3 by disabling FileDelete collection rules. The leak is unavoidable, without disabling the service, in 12.0 and likely all versions of 11.
Thanks for your information. I posted, we ended up exempting the program paths that are doing a lot of file operations. 11.4mb steady now in memory use. I can test the updated version once it comes out. Thanks.
Glad to hear you are in a safe state.
Speaking of thanks, thanks also to the member of the development team who dropped everything to address the memory leak once problem scope was identified, source narrowed, and reproduction steps made available. Many unplanned hours of work went into a remedy and verifications. Awesome folks to interact with.
It must have to do with the fileDelete or update. We ended up exempting the full program path's that are doing a lot of file operations. Once doing that we are steady around 11.4mb. Seems to be on servers that do heavy logging and file operations. Thanks for your detailed information. Quite helpful. I see you said they are working on a fix. We can test it out once that is released too. Thanks.