Sysmon 13.2x using huge amount of handles on servers?

Niklas Sjögren 41 Reputation points
2021-09-07T06:16:00.173+00:00

I’m getting reports from our server guys that the later versions of Sysmon (13.2x) is slowly eating up all handles in the systems…
Seems to affect all versions och windows server

Image shows example in order:
Win 2019 server
Win 2016 server
Win 2012 R2 server
129689-img1.jpg

15 600 000 on a 2016 server (!?)

129699-img2.jpg

Is this anything anyone else have noticed?
Possible bug in Sysmon ?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,087 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Niklas Sjögren 41 Reputation points
    2021-09-27T11:38:29.897+00:00

    Adding som more information in this case...

    I see this problem on all systems (servers and clients) running v.13.22 - v.13.24...
    My PC climbs during the workday to 60.000-70.000 handles, and systems not restarted (like servers) even more...

    After some testing i found that version 13.20 works without this problem, so I am now downgrading to this version...

    No one else seeing this???

    Try:
    while ($true) {$foo=get-date -Format "HH:mm:ss";write-host "$foo Handles: " -NoNewline;Get-Process -Name sysmon64 | select -ExpandProperty Handles; sleep -Seconds 60;$foo=$null}

    during the day on your computer...

    Let me know if you see the same problem...

    0 comments
  2. dstaulcu 351 Reputation points
    2021-09-29T00:36:09.463+00:00

    Have you deduced which event type is causing the leak? Id start by disabling file delete logging...

  3. Niklas Sjögren 41 Reputation points
    2021-10-27T13:50:11.51+00:00

    I today tested the 13.30 version to see if my "bug" was corrected..
    But sadly I have to say that CPU handles continue to grow during the day even with this version...

    If I remove event 7 from my configuration it works just fine, but no logging of Event 7..

    we are collecting all Image Loaded events and have tested the following configuration for this:
    <ImageLoaded condition="more than">0</ImageLoaded> - works, but CPU handles climb fast...
    <ImageLoaded condition="contains">\</ImageLoaded> - works, but CPU handles climbs slowly (to 11.000+ during my workday)

    Both of these configurations work fine in version 13.20 but not in any of the following versions of Sysmon...

  4. Niklas Sjögren 41 Reputation points
    2021-11-12T12:43:15.94+00:00

    An update in this case...(If anyone still is reading...)
    No! I have not yet received any reply or comment from sysite@microsoft.com :-/ (I am guessing no one can recreate this..)

    We collect all Evt 7 in the config we are running by "<ImageLoaded condition="contains">\</ImageLoaded>"

    Did some more testing and found the following:

    1. If I remove all "Exclude" rules in Evt 7, everything works (but I collect a massive amount of Evt7) no increase in handles
    2. If I remove all "Exclude" rules for McAfee, collect works but I still get a slow increase in handles during the day.
    3. installed sysmon 13.30 and our config on a clean windows installation (Defender as AV), collect works but I get a slow increase in handles during the day.
    4. Took all of Olaf Hartongs configs for collecting Evt7, selected items are collected and no increase in handles...

    My guess is that collectin all and adding many exclude rules for Evt7 are creating this problem, but this worked fine up till version 13.20...

    I am now slowly adding items to Hartongs config to see how far I can go...

  5. Alex Mihaiuc 716 Reputation points
    2021-12-03T14:27:05.403+00:00

    Indeed, can't seem to get a repro on this one. However, managed to make some improvements regarding token cleanup. I don't think your emails got through to that mailbox, would you be willing to test an experimental Sysmon build? Just drop me an email on this account at hotmail and I'll reply from my Microsoft account.