@McGahan, Timothy@CIO , I can confirm your analysis to some extent.
First, trying your top config file above (with 3 rules) I don't get a application crash but the parsing of the config file doesn't seem to "finish":
D:\Documents\Sysmon_Work_Area>sysmon64.exe -c details_test.xml
System Monitor v13.22 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.comLoading configuration file with schema version 4.70
D:\Documents\Sysmon_Work_Area>
compared to the normal result after changing configuration (with missing lines bolded):
System Monitor v13.22 - System activity monitor
Copyright (C) 2014-2021 Mark Russinovich and Thomas Garnier
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.comLoading configuration file with schema version 4.70
Configuration file validated.
Configuration updated.
Second, doing my own testing I've noticed that single registry rules with the details filter seems to work just fine.
However, if you add more rules it seems like only the first (i.e. top most) one can produce events in the log.
The rules work separately, but "combined" in the config file only the top most one match and results in output.
Can anyone else confirm?