This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We use Sysmon to monitor events on our Windows 10 endpoinds. We randomly get Sysmon signature verification error, which occurs on 30% of endpoints regardless of their amount of RAM or build number. The example of an error:
<13>Mar 27 15:57:19 XXXXX AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=WC.MSEVEN6.10.1.10.11 Source=Microsoft-Windows-Sysmon Computer=XXXXX.xxx.xxx.xxx.ua OriginatingComputer=x.x.x.x User=SYSTEM Domain=NT AUTHORITY EventID=7 EventIDCode=7 EventType=4 EventCategory=7 RecordNumber=3290522 TimeGenerated=1743083836 TimeWritten=1743083836 Level=Informational Keywords=0 Task=SysmonTask-SYSMONEVENT_IMAGE_LOAD Opcode=Resume Message=Image loaded: RuleName: - UtcTime: 2025-03-27 13:57:16.666 ProcessGuid: {096ac3aa-593c-67e5-7201-000000005401} ProcessId: 8968 Image: C:\Windows\System32\taskhostw.exe ImageLoaded: C:\Windows\System32\msasn1.dll FileVersion: 10.0.19041.3636 (WinBuild.160101.0800) Description: ASN.1 Runtime APIs Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: msasn1.dll Hashes: SHA1=FCB93A019377C297088B8EF6A1215DEC3E732D81,MD5=AB9535AEBFD8DED1BA9743A1A33C8344,SHA256=A40B90479BEF00F51B15E02D8CCE799A15248237EB68E73A2732C0FA8461BBB6,IMPHASH=F79599CA729D557E0381EC0A41471A27 Signed: failed: Signing queue is full Signature: - SignatureStatus: - User: YYYY\xxxxxxx
How can we get rid of these errors? Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 74%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Anybody can help with this issue? it is my customer issue and we need to sort it out somehow. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 6%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
This is related to an internal queue of images that need to be verified by Sysmon. This check is computationally expensive, so if the queue is full, then Sysmon just gives up trying to validate the image signature state.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 57.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Hello, Alex.
Thank You for Your answer.
We'd like to know if there exist any sysmon configuration parameters or maybe you may have some other suggestions how to manage internal queue of images that need to be verified in order not to get this error?
Thanks in advance.
Hey!
Do you have a repro / consistent scenario that leads to this? I would be interested in working on a solution for this! Send me an email, it's the name with the dot in between.