drew442
commented
3 months ago We're also having this issue. The scenario is a user on a remote desktop server with their appdata\roaming on a file share. This event is from the file server:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-SMBServer" Guid="{d48ce617-33a2-4bc3-a5c7-11aa4f29619e}" />
<EventID>1020</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>1020</Task>
<Opcode>0</Opcode>
<Keywords>0x2000000000000008</Keywords>
<TimeCreated SystemTime="2024-07-25T02:49:58.833500600Z" />
<EventRecordID>308</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3012" />
<Channel>Microsoft-Windows-SMBServer/Operational</Channel>
<Computer>ABCSERVER21.DOMAIN.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <EventData xmlns="Smb2Namespace">
<Command>6</Command>
<SessionGuid>{fa46ffae-d86e-0001-6b75-4dfa6ed8da01}</SessionGuid>
<SessionId>0x1000064000049</SessionId>
<ConnectionGuid>{fa46ffae-d86e-0001-9172-4dfa6ed8da01}</ConnectionGuid>
<UserNameLength>15</UserNameLength>
<UserName>DOMAIN\username</UserName>
<ClientNameLength>15</ClientNameLength>
<ClientName>\\172.30.249.22</ClientName>
<ClientAddressLength>16</ClientAddressLength>
<ClientAddress>0200CDB0AC1EF9160000000000000000</ClientAddress>
<ShareNameLength>10</ShareNameLength>
<ShareName>\\*\Users$</ShareName>
<FileNameLength>91</FileNameLength>
<FileName>username\ABCRD01\AppData\Roaming\Microsoft\Office\16.0\ffc2358e\Proofing\RoamingCustom.dic</FileName>
<Duration>35359</Duration>
<Threshold>15000</Threshold>
<CtlCode>0</CtlCode>
<SubCode>0</SubCode>
<TunneledControl>0</TunneledControl>
</EventData>
</UserData>
</Event>Given this looks to be an issue with the minifilter driver I'm assuming this can't be dealt with using a sysmon rule?
I can see changes to FsFilter (assuming the minifilter driver) in v15.15 so I'll try updating. https://techcommunity.microsoft.com/t5/sysinternals-blog/process-monitor-2-0-for-linux-and-sysmon-v15-15/ba-p/4199063
I've also messaged Alex_Mihaiuc who posted the update to see if there's more detail.
This issue is a copy of the issue of the SwiftOnSecurity project, which seems to be dead. Anyway the issue still exists also with recent 15.14 and the sysmon-modular config from this repo:
https://github.com/SwiftOnSecurity/sysmon-config/issues/171 https://www.reddit.com/r/sysadmin/comments/yis8fi/network_share_word_and_excel_files_take_35/
Does anyone have an idea why on some systems the registration of the filter FSCTL_REQUEST_FILTER_OPLOCK is causing such a huge delay in saving times for some file types?