Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,169 questions
Sysmon service - security descriptors and recover options
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 62%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Gary Portnoy
0
Reputation points
To prevent user tampering and recover from process crashes, when installing sysmon I used to modify the security descriptors on the service to remove Admin's ability to stop it and set the recovery options to restart after 1st, 2nd and subsequent failures.
Now that sysmon has PPL protection, are either of those actions needed? It feels like security descriptors on the service are redundant, since the process can't be killed, even by Admin, but what about the Recovery Options? It seems like they are grayed out and can't be set after installing 15.14. Is that because of PPL protections?
Sysinternals
Sign in to answer