How to set Sysmon (version 15) service to Automatic (Delayed) start?

Question

After I install Sysmon 15.14 on one of our Windows servers, when I go to Services and try to update the Startup Type to Automatic (Delayed Start) I get the following error:

The delayed auto-start flag could not be set.

Error 5: Access is denied.

I then tried to go to regedit and add the "DelayedAutostart" key to HKLM\SYSTEM\CurrentControlSet\services\sysmon as type REG_DWORD with a value or 0c00000001.

After saving and refreshing Services, the Startup Type is still Automatic. When I run 'sc.exe query sysmon'
I get this:

SERVICE_NAME: sysmon
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\sysmon64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : sysmon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

Does anyone know how I can get the Startup Type of sysmon to Automatic (Delayed)?

Answer 1

Hi Wehner,

Thanks for your post. Please understand that the service runs as a protected process, thus disallowing a wide range of user mode interactions. Basically, System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Reference: Sysmon - Sysinternals | Microsoft Learn

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

This is interesting, because Microsoft still not supporting Sysmon, when having problems on machines where Sysmon is installed.

We are testing Sysmon version 15.15 and I run into the same behavior. We have the Sysmon service with auto delayed start.

In the past we had problems with Windows server which hangs during boot. We opened a case my Microsoft and they found out, that the Sysmon service seems to be the root cause. Microsoft support does not officially support Sysmon and analyzing possible problems. The only workaround was to set the Sysmon service start up type to automatic (Delayed start).

This behavior with Sysmon 15.x seems to be a negative game changer for using Sysmon in a production environment. We get no assistant from Microsoft (Unified support) for Sysmon when having problems in conjunction with Sysmon. So, the only way when problems appear on a system with Sysmon is to uninstall Sysmon on the affected systems.