Errors in Sysmon 13.01

Question

I am seeing a lot of errors with varying numbers (see below) on different hosts that have 13.01 deployed on them. I have also seen these errors occurring with different configs being used so it does not appear to be an issue with a single configuration file. Any suggestions on how to troubleshoot these? Sysmon still seems to work as I can see all of the events getting produced, but it is concerning to see these errors and not have a clear understanding as to why they are happening or what impact they may have on critical systems.

ID: GetConfigurationOptions
Description: Failed to open service configuration with error (94|93|19|83) - Last error: The media is write protected.

Answer 1

@lukelikessysmon I see similar errors in an environment running Sysmon v12.01 and 13.02. Error code 93 is most common but I also see codes 91, 92, and 94.

My guess is that these errors are from the use of write-protected media (USB-sticks, portable hard drives, etc) and Sysmon is complaining
that it can't store files (deleted files as per Event ID 23) and clipboard data (as per Event ID 24) in the Archive-directory it tried to create.
NOT confirmed but a reasonable guess...

Answer 2

@Michael_N Thanks for trying to provide some guidance here. Event ID 23 and 24 are both excluded from our logging configuration so I suspect that isn't the root cause unfortunately. I wish there was a troubleshooting guide or something that could provide a little more insight into Sysmon errors.