The Sysmon service terminated unexpectedly (Exception code: 0xc0000005)

[kont45]

I am noticing on Windows 10 Pro and Windows 11 Pro strange problems with the Sysmon or Sysmon64 service stopping.

Tested Sysmon version: 15.0 and 15.12 - the same problem.

Windows 10 and Windows 11:

OS Name:                   Microsoft Windows 11 Pro
OS Version:                10.0.22000 N/A Build 22000
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free

System Manufacturer:       VMware, Inc.
System Model:              VMware20,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2495 Mhz
BIOS Version:              VMware, Inc. VMW201.00V.20904234.B64.2212051119, 05/12/2022

System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-gb;English (United Kingdom)

Total Physical Memory:     8,191 MB
Available Physical Memory: 5,631 MB
Virtual Memory: Max Size:  9,471 MB
Virtual Memory: Available: 6,700 MB
Virtual Memory: In Use:    2,771 MB

Hotfix(s):                 7 Hotfix(s) Installed.
                           [01]: KB5030650
                           [02]: KB5028954
                           [03]: KB5007040
                           [04]: KB5011048
                           [05]: KB5012170
                           [06]: KB5031358
                           [07]: KB5031591
Network Card(s):           1 NIC(s) Installed.

Log from /Application:

Faulting application name: Sysmon.exe, version: 15.12.0.0, time stamp: 0x659d347a Faulting module name: Sysmon.exe, version: 15.12.0.0, time stamp: 0x659d347a Exception code: 0xc0000005 Fault offset: 0x00000000000eedf9 Faulting process ID: 0xc90 Faulting application start time: 0x01da4df1fa56edd8 Faulting application path: C:\Windows\Sysmon.exe Faulting module path: C:\Windows\Sysmon.exe Report ID: a5496324-c5c1-48b2-a1c1-d22b6eb3b12d Faulting package full name: Faulting package-relative application ID:

Log from /System:

The Sysmon service terminated unexpectedly. It has done this 1 time(s).

It occurs in random time, but probably always after cleaning Sysmon logs command line.

[foxmsft]

What command do you use to clean those logs? Maybe Sysmon doesn't synchronize on that flow.

[kont45]

What command do you use to clean those logs? Maybe Sysmon doesn't synchronize on that flow.

I use this one from simple batch file (runs as an admin)

wevtutil cl Microsoft-Windows-Sysmon/Operational

[foxmsft]

I can't get a repro here, I was looking for some synchronization issue between Sysmon writing to the log, and the log being cleared, but I don't see that happening.

Could you configure werfault to generate a crash dump and share it somehow? I couldn't find your specific instance for which you previously pasted the details. This page explains the process, procdump doesn't work for Sysmon v15+ since it's a protected process now. Thanks!

[kont45]

I will let you know, it is required a lot of tests, thanks in advance.

[foxmsft]

I'm running myself a script like this:

for (;;)
{
    & "C:\Users\sysuser\AppData\Local\Programs\Microsoft VS Code\Code.exe"
    Start-Sleep -Milliseconds 20
    wevtutil cl Microsoft-Windows-Sysmon/Operational
    Start-Sleep -Seconds 5
    Stop-Process -Name Code
    Start-Sleep -Seconds 2
}

Varying the delays, sometimes using Edge or Edge and Code, but didn't catch anything yet.