Share via

Sysmon 12.03 not logging EventID:2 (file creation time modified)

Julien Bachmann 96 Reputation points
2020-12-18T14:34:54.287+00:00

Hello,

I just made a test with Sysmon 9.1.0 on a VM and I was able to get file creation time modification events. Upgrading to 12.03 with the same configuration allows to get all the other events except this one.

Test was made using a ps1 script that modifies 100 files using the following: 

[System.IO.File]::SetCreationTimeUtc($f.FullName, (Get-Date))

Anyone else with the same issue? We tested on 2 hosts with 12.01 and 12.03 and the result is the same: no EventID:2 event.

Best regards

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,115 questions
Accepted answer
  1. Julien Bachmann 96 Reputation points
    2020-12-23T07:33:07.04+00:00

    As mentioned by @dstaulcu , we need the following lines in sysmon config for the events to trigger since schema 4.40 

    >      <Sysmon schemaversion="4.40">  
>          <EventFiltering>  
>              <RuleGroup name="" groupRelation="or">  
>                  <FileCreateTime onmatch="exclude">  
>                  </FileCreateTime>  
>              </RuleGroup>  
>          </EventFiltering>  
>      </Sysmon>
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest