This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 69%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Is there a way with Sysmon 13.01 to prevent the creation of the Archive Directory (default is C:\Sysmon) and prevent file deletions from saving the file to the local filesystem?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
At present, the only way to ensure deleted files are not written to archive is to ensure the input is disabled or FileDelete rules are excluding problematic files/folders.
<!--SYSMON EVENT ID 23 : File Delete archived [FileDelete]-->
<!--DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable, Archived-->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="include">
</FileDelete>
</RuleGroup>
I think there is a problem with 13.02 where all clipboard operations are archived if any rule is enabled. I would keep ClipBoard change logging turned off altogether until that problem has been addressed in some version beyond 13.02.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 61%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I also really want to know this.
Also, for me, changing <ArchiveDirectory>Sysmon</ArchiveDirectory> makes no difference. Even if I change it to <ArchiveDirectory>DeletedFiles</ArchiveDirectory> or whatever, it still saves to C:\Sysmon. Deleting this line makes no difference either.
Same with 13.02.
Are you sure it is still saving to c:\sysmon? When I first tried to reproduce the problem you reported I thought the same thing was happening to me.
After closer inspection, seems like Sysmon keeps the original archive folder/content around and does not create the new archive folder until the first fileDelete or ClipboardChange operation matching include/exclude rules takes place.
Yup, because every time the Sysmon folder was tens of GBs in size so I deleted it ( del f /q C:\Sysmon ). C:\Sysmon was still always created.
btw. i am told that the only supported method to change archive directory name is to uninstall then reinstall with change in initial config.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 69%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZB%3C/text%3E%3C/svg%3E)
Currently, the only way to disable is provided by @dstaulcu . However, I would like to propose a new approach though. Instead of disabling it, controlling the size of archive folder also makes it a usable feature. If you like, you can keep the quota so small that it can be considered as "disabling". The method is using WMI filters and consumers to create a Filesystem quota. Check the script here:
https://gist.github.com/zbalkan/17fbe38864a900a2f1eeac2088c5d49e
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 60%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
The Github page is not opening. Any updated link you want to share?