Dear Sysinternal Team,
We are trying to use sysmon 14.12 and face different BSOD issues with this. Could you kindly check and let us know if these are solved in latest sysmon 15.0. They happen on different applications. Attaching snippets of Windbg data below. These were seen after sysmon was installed and brought up. I've attached 2 BSOD details below. There are few more as well. And they are NOT limited to one specific system.
OS_VERSION: 10.0.19041.1
BSOD 1 - RESOURCE_NOT_OWNED (Taskmgr.exe)
RESOURCE_NOT_OWNED (e3)
A thread tried to release a resource it did not own.
Arguments:
Arg1: fffff80772d771a0, Address of resource
Arg2: ffffa189701f0080, Address of thread
Arg3: ffffa189759df450, Address of owner table if there is one
Arg4: 0000000000000002
PROCESS_NAME: Taskmgr.exe
STACK_TEXT:
ffffe30dcad0ec68 fffff807
3b227d73 : 00000000000000e3 fffff807
72d771a0 ffffa189701f0080 ffffa189
759df450 : nt!KeBugCheckEx
ffffe30dcad0ec70 fffff807
3b020893 : 0000000000000000 00000000
00000000 ffffa189701f0080 00000000
00000000 : nt!ExpReleaseResourceSharedForThreadLite+0x207403
ffffe30dcad0ed30 fffff807
72d576be : 0000000000000000 ffffa189
77610600 ffffa189779e8d90 00000000
000000ff : nt!ExReleaseResourceLite+0xf3
ffffe30dcad0ed90 00000000
00000000 : ffffa18977610600 ffffa189
779e8d90 00000000000000ff 00000001
ffffffff : SysmonDrv+0x76be
SYMBOL_NAME: SysmonDrv+76be
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 76be
FAILURE_BUCKET_ID: 0xE3_SysmonDrv!unknown_function
OS_VERSION: 10.0.19041.1
BSOD 2 - SYSTEM_SERVICE_EXCEPTION (WmiPrvSE.exe)
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8055bcc73b0, Address of the instruction which caused the BugCheck
Arg3: ffff9b015e259920, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.
PROCESS_NAME: WmiPrvSE.exe
STACK_TEXT:
fffff5884407fbf8 fffff805
5bc534f1 : fffff805a40671a0 fffff588
4407fc68 0000000000000000 ffffdb05
6ecf6500 : nt!PsGetBaseIoPriorityThread
fffff5884407fc00 fffff805
5bc21c35 : fffff805a40671a0 fffff588
00000002 ffffffffffffffff fffff805
00000004 : nt!ExpApplyPriorityBoost+0x431
fffff5884407fc90 fffff805
5bc21354 : fffff5884407fdb0 fffff805
a40671a0 0000000000000000 00000000
00000001 : nt!ExpAcquireResourceSharedLite+0x825
fffff5884407fd50 fffff805
a4047690 : ffffdb0556002100 ffffdb05
6a547ed0 ffffdb0556002340 00000000
000000ff : nt!ExAcquireResourceSharedLite+0x44
fffff5884407fd90 ffffdb05
56002100 : ffffdb056a547ed0 ffffdb05
56002340 00000000000000ff 00000001
ffffffff : SysmonDrv+0x7690
fffff5884407fd98 ffffdb05
6a547ed0 : ffffdb0556002340 00000000
000000ff 00000001ffffffff fffffff6
00000000 : 0xffffdb05`56002100
fffff5884407fda0 ffffdb05
56002340 : 00000000000000ff 00000001
ffffffff fffffff600000000 00000000
00000000 : 0xffffdb05`6a547ed0
fffff5884407fda8 00000000
000000ff : 00000001ffffffff fffffff6
00000000 0000000000000000 00000000
00000000 : 0xffffdb05`56002340
fffff5884407fdb0 00000001
ffffffff : fffffff600000000 00000000
00000000 0000000000000000 00000000
00000000 : 0xff
fffff5884407fdb8 fffffff6
00000000 : 0000000000000000 00000000
00000000 0000000000000000 ffffdb05
5c82ea20 : 0x00000001`ffffffff
fffff5884407fdc0 00000000
00000000 : 0000000000000000 00000000
00000000 ffffdb055c82ea20 00000000
00000000 : 0xfffffff6`00000000
SYMBOL_NAME: SysmonDrv+7690
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
STACK_COMMAND: .cxr 0xffff9b015e259920 ; kb
BUCKET_ID_FUNC_OFFSET: 7690
FAILURE_BUCKET_ID: AV_SysmonDrv!unknown_function
OS_VERSION: 10.0.19041.1