Sysmon not working after upgrade from 5.2 to 15.0

Question

Sysmon not working after upgrade from 5.2 to 15.0

Victorio, Elisha Israel 20

I'm trying to upgrade sysmon in my Windows server because it was detected with a security vulnerability. I copied and pasted the new version 15.0 sysmon file to the server because I haven't searched better how to upgrade sysmon, and unfortunately it did not work resulting in sysmon not starting. I tried to use the install command in cmd but it says "The service Sysmon is already registered. Uninstall Sysmon before reinstalling." I also tried to uninstall but I get the "Access is denied" error even though I'm logged in as an administrator and using command prompt as administrator. Is there any chance I can still get this installation/upgrade fixed? Any help will be appreciated. Thank you

Accepted answer

1 additional answer

Your answer

Answer 1

Alex Mihaiuc 256 Microsoft Employee

That's a really old Sysmon running there, v5.02. Just manually delete it and then switch to v15.0. Also look in the Registry under ControlSet001:

Remove the reference to the service and driver from the Registry:
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sysmon[64]
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysmon[64]
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysmonDrv
- Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonDrv
Reboot and delete the binaries C:\Windows\sysmon[64].exe, C:\Windows\SysmonDrv.exe.
Install the new v15.0 client which should work.

Victorio, Elisha Israel 20 Reputation points

2023-07-07T08:40:21.48+00:00

<duplicate comment I cannot delete>
Victorio, Elisha Israel 20 Reputation points

2023-07-07T08:57:49.9+00:00

Hi Alex,

Thank you again for your response.

On a clone server, I successfully uninstalled Sysmon 5.2 version using the steps you provided, deleting the exe file and registry entries.

However, I cannot install the new Sysmon 15.0 version. I'm getting the following error:

"Error copying sysmon in systemroot:

The process cannot access the file because it is being used by another process."

The command I used is ".\Sysmon.exe -i". From the articles I found, the solution was to restart http, but it did not work. Do you have an idea about this error? The OS is Windows Server 2012 R2 Datacenter.
Alex Mihaiuc 256 Reputation points Microsoft Employee

2023-07-07T12:29:34.1966667+00:00

Hmm, it looks like C:\Windows\sysmon[64].exe still exists there and in use. Can you confirm?
Victorio, Elisha Israel 20 Reputation points

2023-07-07T13:08:22.5033333+00:00

Hi Alex,

I confirm that C:\Windows\Sysmon.exe (old version) was deleted. After the reboot, I uploaded the new version exe file to C:\Windows\ and executed the command ".\Sysmon.exe -i" on command prompt.
Alex Mihaiuc 256 Reputation points Microsoft Employee

2023-07-07T15:00:59.3766667+00:00

Run sysmon from a different directory, not from C:\Windows. It will copy itself there, it seems to be complaining because it's running already from within the folder.
Victorio, Elisha Israel 20 Reputation points

2023-07-07T16:15:35.97+00:00

Hi Alex,

It was my unintentional and innocent error that I uploaded the exe file at C:\Windows and run it from there. I tried to upload it to another directory and executed the install commands in cmd prompt and it worked. This is just a clone server, but I'm hoping it would work on the live server as well. Thank you very much!

Answer 2

Alex Mihaiuc 256 Microsoft Employee

Hey, there might be a mismatch between the new Sysmon client and the old service and driver.

Try

.\sysmon64.exe -u force

which should work even with the v15.0 executable. Restart the computer and attempt installation afterwards.

If that keeps failing, you can always "manually" dispose of the driver by deleting its autostart entry from the Registry - Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonDrv. The same can be done for the service, it's at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sysmon64. Following a system restart, for extra safety, delete C:\Windows\sysmon64.exe and C:\Windows\SysmonDrv.sys.

Installing Sysmon v15.0 should work afterwards, just force uninstall first, to be sure, followed by install:

.\sysmon64.exe -u force
.\sysmon64.exe -i my_config.xml

Victorio, Elisha Israel 20

Hi Alex,

Thank you for your response.

I'm trying the "-u" and "-u force" command with the administrator user, but I'm getting the messages below.

Also, I checked the registry and the "SysmonDrv" key is not there.

What would you recommend in my situation?

PS C:\Windows> .\Sysmon.exe -u


System Monitor v5.02 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Stopping the service failed:
Access is denied.
DeleteService failed:
Access is denied.
PS C:\Windows> .\Sysmon.exe -u force


System Monitor v5.02 - System activity monitor
Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Usage:
Install:    C:\Windows\Sysmon.exe -i [<configfile>]
              [-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
              [-l [<process,...>]
Configure:  C:\Windows\Sysmon.exe -c [<configfile>]
              [--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n [<process,...>]]
              [-l [<process,...>]]]
Uninstall:  C:\Windows\Sysmon.exe -u
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -h   Specify the hash algorithms used for image identification (default
       is SHA1). It supports multiple algorithms at the same time.
       Configuration entry: HashAlgorithms.
  -i   Install service and driver. Optionally take a configuration file.
  -l   Log loading of modules. Optionally take a list of processes to track.
  -m   Install the event manifest (done on service install as well).
  -n   Log network connections. Optionally take a list of processes to track.
  -r   Check for signature certificate revocation.
       Configuration entry: CheckRevocation.
  -u   Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in
the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On
older systems, events are written to the System event log.

If you need more information on configuration files, use the '-? config' command. More examples are available on the
Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to
accept it.

Neither install nor uninstall requires a reboot.

PS C:\Windows>

Share via

Sysmon not working after upgrade from 5.2 to 15.0

1 additional answer

Your answer