Share via

How can I limit or delete the folder content of Sysmon folder?

ADRookie 0 Reputation points
2024-07-16T13:59:09.0666667+00:00

I have Sysmon installed in all of our Servers 2019 and 2022. It piles up the logs in C:/Sysmon folder. The folder is owned by TrustedInstaller so generally I cannot delete the content.

I have used PSexec but whenever I try to run that it gives an error "No process is on the other end of the pipe" I also tried to stop the PSexec service and run again, but no luck.

I have created a task scheduler run as System to delete the files everyday. But this also not deleting all the files but some only, which are not owned by TrustedInstaller.

Please suggest something, if you have faced similar issues.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,147 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 33,291 Reputation points
    2024-07-17T00:45:28.27+00:00

    In looking at the sysmon help output, the best that I can figure out is that you have defined a custom configuration that is using one or more of these CopyOnDelete settings. 

    Configuration entries include the following:
  Entry                 Value     Description
  ArchiveDirectory      String    Name of directories at volume roots into which copy-on-delete
                                  files are moved. The directory is protected with a System ACL.
                                  (you can use PsExec from Sysinternals to access the directory
                                  using 'psexec -sid cmd').
                                  Default: Sysmon
  CopyOnDeletePE         Boolean  Preserves deleted executable image files.
                                  Default: False
  CopyOnDeleteSIDs       Strings  Comma-separated list of account SIDs for
                                  which file deletes will be preserved.
  CopyOnDeleteExtensions Strings  Extensions for files that are preserved on
                                  delete.
  CopyOnDeleteProcesses  Strings  Process name(s) for which file deletes will
                                  be preserved.

    https://www.bleepingcomputer.com/news/software/microsoft-releases-sysmon-11-with-auto-backup-of-deleted-files/

    Change your scheduled task to set the permissions so that Administrators (or Users) have full control.

    takeown /d Y /a /r /f c:\sysmon
icacls c:\sysmon  /grant administrators:(F)  /t

    You probably want to review your CopyOnDelete settings and discuss with your team how you intend to use those files. If you're just going to delete them every day, then I see no point in copying the files in first place.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.