This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 60%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I'm learning Sysmon and recently read there is an (undocumented) debug mode.
Unfortunately, I'm unable to get it working. This is the result when I try to start
Sysmon in debug mode. Thousands of error messages scrolls passed until I press
CTRL-C. What am I doing wrong?
D:\Documents\PRIVATE\Data\Sysmon_Work_Area>sysmon64.exe -t -i ProcessCreate_OriginalFileName_Test.xml
System Monitor v13.02 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Detected configuration file has BOM
Detected configuration file format is single-width character set
Loading configuration file with schema version 4.50
Configuration file validated.
SysmonDrv installed.
[R] No global rule or pre-filtered for 16
Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE
UtcTime: 2021-04-15 15:02:52.675
Configuration: D:\Documents\PRIVATE\Data\Sysmon_Work_Area\ProcessCreate_OriginalFileName_Test.xml
ConfigurationFileHash: SHA256=01B1060F20197C15B4B39DD55F6B22DCFBBBB93A1D4DA235679C776B04C96A4B
Starting SysmonDrv.
SysmonDrv started.
[R] No global rule or pre-filtered for 4
Event SYSMONEVENT_SERVICE_STATE_CHANGE
UtcTime: 2021-04-15 15:02:52.740
State: Started
Version: 13.02
SchemaVersion: 4.50
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
<...removed thousands or similar lines...>
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
[R] No global rule or pre-filtered for 4
PROCESS_CACHE_REQUEST failed with 87
Event SYSMONEVENT_SERVICE_STATE_CHANGE
UtcTime: 2021-04-15 15:02:54.675
State: Stopped
Version: 13.02
SchemaVersion: 4.50
PROCESS_CACHE_REQUEST failed with 87
PROCESS_CACHE_REQUEST failed with 87
D:\Documents\PRIVATE\Data\Sysmon_Work_Area>
If anyone is interested, the syntax for debug mode (as shown above) seems to work just fine in the new v13.10 version.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 82%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Hi
Check your Sysmon Config file!
If you get such kind of outputs like [R] No global rule or pre-filtered for 16, then your SysmonConfig.xml has some errors and dont follow the scripting syntax.
You have to strict follow the syntax as well as the SchemaVersion number. This often changes when you install a higher Sysmon version.
Kind Regards