The description for Event ID 1 from source Microsoft-Windows-Sysmon cannot be found

[rdf6]

The following message is prepended to the top of every Sysmon event for every Event ID:

`The description for Event ID # from source Microsoft-Windows-Sysmon cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: `

I had been using an older version of the sysmon.exe utility but just updated to the latest version available and now this message is appearing. I am also using the latest version of the xml config file from your repo. Any advice on how to correct this issue?

[itpropaul]

Had this same issue while testing out different ways to deploy Sysmon and an internally customized version of @SwiftOnSecurity 's config.

Just restart Event Viewer.

"Event Viewer was not restarted since you added the EventMessageFile entry in the registry. Event Viewer caches the DLLs it loads for event sources. If you have changed the registry to give a proper directory or source name after the event viewer has been started, you need to restart Event Viewer." -ref: See point #6 https://support.microsoft.com/en-us/help/166902/howto-troubleshooting-the-event-message-not-found-message

@SwiftOnSecurity please feel free to close this issue

[deepakjoshi01234]

what does hashes means in eventId 1, are they file hash or process hash ?