Error: Incorrect XML configuration: sysmonconfig-export.xml

[Chickenfoster]

Hi guys, this is just running base executable Sysmon version v5.02 on Win7 32-bit. I haven't edited the xml file at all.

C:\Users\jamesbond\Desktop>Sysmon.exe -accepteula -i sysmonconfig-export.xml

System Monitor v5.02 - System activity monitor Copyright (C) 2014-2016 Mark Russinovich and Thomas Garnier Sysinternals - www.sysinternals.com

Loading configuration file with schema version 3.30 Sysmon schema version: 3.20 Error: Incorrect XML configuration: sysmonconfig-export.xml Reason: Element 'FileCreate' is unexpected according to content model of parent element 'EventFiltering'. Expecting: ProcessCreate, FileCreateTime, NetworkConnect, ProcessTerminate, Driv erLoad, ImageLoad, CreateRemoteThread, RawAccessRead, P....

Usage: Install: Sysmon.exe -i [] [-h <[sha1|md5|sha256|imphash|],...>] [-n [<process,...>]] [-l [<process,...>] Configure: Sysmon.exe -c [] [--|[-h <[sha1|md5|sha256|imphash|],...>] [-n [<process,...>]] [-l [<process,...>]]] Uninstall: Sysmon.exe -u -c Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file. -h Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: HashAlgorithms. -i Install service and driver. Optionally take a configuration file. -l Log loading of modules. Optionally take a list of processes to track. -m Install the event manifest (done on service install as well). -n Log network connections. Optionally take a list of processes to track. -r Check for signature certificate revocation. Configuration entry: CheckRevocation. -u Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System event log.

If you need more information on configuration files, use the '-? config' command. More examples are available on the Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.

[SwiftOnSecurity]

SHould be fixed, I'm sorry =(

[SwiftOnSecurity]

Oh, sorry I misdiagnosed the issue. This configuration requires sysmon 6. I'm sorry, I can't maintain a different stream for versions I don't use anymore. You should be able to just remove the "FileCreate" and other sections and sysmon5.02 should work