Share via

Sysmon's reported CommandLine adds extra percent characters on Process Create events

Dave Schob 0 Reputation points
2024-08-31T17:11:27.5866667+00:00

When launching a process with a percent sign in the command line arguments, Sysmon adds an additional percent character for each one in the actual command line arguments. This issue is observed in both v13.24 and Sysmon 15.15 on at least Windows 10.

For example, Sysmon reports (via event logging) this command line:

CommandLine: winver  %% %% %%%%

after having launched this:
winver % % %%

Here is the first instance we encountered but running a test process with percents in the command line behaves the same. See CommandLine below:

Process Create: 
RuleName: - 
UtcTime: 2024-08-31 01:26:18.706 
ProcessGuid: {EC883F9D-713A-66D2-A547-030000001500} 
ProcessId: 18360 
Image: C:\Program Files\RUXIM\RUXIMICS.exe 
FileVersion: 10.0.19041.4230 (WinBuild.160101.0800) 
Description: Reusable UX Interaction Manager 
Product: Microsoft® Windows® Operating System 
Company: Microsoft Corporation 
OriginalFileName: RUXIMICS.exe 
CommandLine: %%ProgramFiles%%\RUXIM\RUXIMICS.EXE /onlyloadcampaigns 
CurrentDirectory: C:\Program Files\RUXIM\ 
User: NT AUTHORITY\SYSTEM 
LogonGuid: {EC883F9D-B870-66A7-E703-000000000000} 
LogonId: 000003E7 
TerminalSessionId: 0 
IntegrityLevel: System 
Hashes: SHA1=04CB99DA03A0629A7A15ABE88E4070B997403D0B,MD5=FB1FBFD43291A17B62059B0AE1529A65 
ParentProcessGuid: {EC883F9D-7138-66D2-8C47-030000001500} 
ParentProcessId: 11440 
ParentImage: C:\Program Files\RUXIM\PLUGScheduler.exe 
ParentCommandLine: "C:\Program Files\RUXIM\PLUGscheduler.exe"
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,254 questions

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.