Scribd
Upload
161 views6 pages

Sysmon: How To Install, Upgrade, and Uninstall

The document provides guidance on installing, upgrading, and uninstalling the Sysmon monitoring tool on Windows systems. It describes how to install Sysmon with a single executable and configuration file. Upgrading is not supported as the service must first be uninstalled. Uninstalling can sometimes fail, leaving registry keys and files behind. The document details the files and registry locations Sysmon affects and provides PowerShell scripts to check for leftover Sysmon components and manually remove them if uninstallation fails. This allows a clean reinstallation of Sysmon.

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
161 views6 pages

Sysmon: How To Install, Upgrade, and Uninstall

The document provides guidance on installing, upgrading, and uninstalling the Sysmon monitoring tool on Windows systems. It describes how to install Sysmon with a single executable and configuration file. Upgrading is not supported as the service must first be uninstalled. Uninstalling can sometimes fail, leaving registry keys and files behind. The document details the files and registry locations Sysmon affects and provides PowerShell scripts to check for leftover Sysmon components and manually remove them if uninstallation fails. This allows a clean reinstallation of Sysmon.

Uploaded by

Daniel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Sysmon: How to install, upgrade,

and uninstall
2021-06-02

• Introduction
• Helpful Links
• Install
• Upgrade
• Uninstall
o The Problem
o The Investigation
o The Solution

Introduction
If you’re on this page you probably don’t need me to explain much about what
Sysmon is or why it is an excellent tool for security monitoring. In short:

• It’s part of Microsoft’s Sysinternals Suite


o So it should play nice with Windows
• It can monitor almost anything that happens on a Windows host
o So it can detect all the most common MITRE ATT&CKs
• It logs using Windows Event Logs
o So it’s easy to export to a SIEM etc for analysis
However, if you’ve tried rolling Sysmon out to a large number of machines, and
then removing or updating it, you may have experienced some issues. At least, I
did. So I’ve collated some of my findings.

At the time of writing Sysmon is on version 13.20.

Helpful Links
Main website: https://docs.microsoft.com/en-
us/sysinternals/downloads/sysmon
Sysmon
guide: https://github.com/trustedsec/SysmonCommunityGuide/blob/master/in
stall-and-configuration.md
Sysmon support: https://docs.microsoft.com/en-us/answers/topics/windows-
sysinternals-sysmon.html

Install
This is the easy bit. Download Sysmon.zip from the main website, extract, then
run:
Sysmon64.exe -i
If you have a config file you want to use:
Sysmon64.exe -i <path-to-config.xml>
Done.

Upgrade
This is where it gets more complicated. You can’t upgrade:
The service Sysmon64 is already registered. Uninstall Sysmon before
reinstalling.

Uninstall
And even this isn’t simply. While Sysmon has a built-in uninstall action:
Sysmon64.exe -u

The Problem
Except, sometimes it fails. And when it does, you’re kind of stuck. You can’t
reinstall Sysmon, as it claims Sysmon is already installed, but you also can’t
uninstall it by rerunning the command, as it says it’s not installed. Catch 22!

There is another option:


Sysmon64.exe -u force
Although there is no documentation on exactly what it forces. See my forum
post: https://docs.microsoft.com/en-us/answers/questions/404683/sysmon-u-
vs-u-force.html
And it doesn’t seem to make much difference anyway.

The Investigation
This led me to further investigation. I ran several installs and uninstalls and took
snapshots using Regshot, an awesome tool that lets you do before-and-afters
for the filesystem and registry.
From this, I found Sysmon affects the following:
• C:\Windows\Sysmon64.exe
• C:\Windows\SysmonDrv.sys
• HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64
• HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv
• HKLM:\SYSTEM\ControlSet001\Services\Sysmon64
• HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv
• HKLM:\SYSTEM\ControlSet002\Services\Sysmon64
• HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv
• HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Micros
oft-Windows-Sysmon/Operational
• HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577
0385f-c22a-43e0-bf4c-06f5698ffbd9}
• HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-
Microsoft-Windows-Sysmon-Operational
Other findings:
1. Even though it says Sysmon64 removed., uninstalling Sysmon
does not remove the Sysmon64.exe file itself. This needs to be done
manually.
2. If it fails, often even a machine reboot won’t fix it. This is because
the Services\SysmonDrv registry keys, and SysmonDrv.sys, still exist. When
the machine restarts, the service will start (note it’s not visible in Task
Manager or the Services manager). If you try to uninstall or reinstall, you
get the above “already exists” issue.
This means, if the Sysmon64.exe -u fails, you’ll need to do some manual
intervention. This is the best I’ve found.

The Solution
First, I wrote a script to check the above files, to see what exists and what doesn’t.
In production I used a more complex one that feeds into our SIEM, but this is the
core of it:

$log_file = 'sysmon-checks.log'

$items = @(
"C:\Windows\Sysmon64.exe",
"C:\Windows\SysmonDrv.sys",
"HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64",
"HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv",
"HKLM:\SYSTEM\ControlSet001\Services\Sysmon64",
"HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv",
"HKLM:\SYSTEM\ControlSet002\Services\Sysmon64",
"HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv",

"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Micros
oft-Windows-Sysmon/Operational",

"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577
0385f-c22a-43e0-bf4c-06f5698ffbd9}",
"HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-
Microsoft-Windows-Sysmon-Operational"
)

$services = @(
"Sysmon64",
"SysmonDrv"
)

foreach ( $i in $items ) {
If ( Test-Path $i ) {
$result = 'O'
} Else {
$result = 'X'
}
Write-Output "$result : $i".ToString() | Out-File -Filepath
$log_file -Append -NoClobber -Encoding UTF8
}

foreach ( $s in $services ) {
$status = (Get-Service $s -ErrorAction SilentlyContinue).Status
Write-Output "$status : $s".ToString() | Out-File -Filepath
$log_file -Append -NoClobber -Encoding UTF8
}
view rawsysmon-checks.ps1 hosted with ❤ by GitHub

I like to use O for success and X for fail, from my teaching in Korea days.
For a fresh install, the output is something like this:

O : C:\Windows\Sysmon64.exe
O : C:\Windows\SysmonDrv.sys
O : HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64
O : HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv
O : HKLM:\SYSTEM\ControlSet001\Services\Sysmon64
O : HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv
X : HKLM:\SYSTEM\ControlSet002\Services\Sysmon64
X : HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv
O : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft
-Windows-Sysmon/Operational
O : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577038
5f-c22a-43e0-bf4c-06f5698ffbd9}
O : HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-
Windows-Sysmon-Operational
Running : Sysmon64
Running : SysmonDrv

However, a failed uninstall might look something like this:

O : C:\Windows\Sysmon64.exe
O : C:\Windows\SysmonDrv.sys
X : HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64
O : HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv
X : HKLM:\SYSTEM\ControlSet001\Services\Sysmon64
O : HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv
X : HKLM:\SYSTEM\ControlSet002\Services\Sysmon64
O : HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv
X : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft
-Windows-Sysmon/Operational
X : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577038
5f-c22a-43e0-bf4c-06f5698ffbd9}
X : HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-
Windows-Sysmon-Operational
: Sysmon64
Running : SysmonDrv
The executable is there, but the service relating to it doesn’t exist. Yet the driver
is still up and running. If you try to stop the driver manually after a failed -
u uninstall, it often doesn’t - you get a Stopping the service failed error, or it just
hangs at Stopping.
There is a solution, however. If the registry keys relating to the service don’t exist,
then, on the next reboot, the service doesn’t exist either. Hence, it doesn’t start
(and therefore doesn’t need stopping), so you can delete SysmonSys.Drv and
you’re good to go!
To make this easier - yeah, another PowerShell script, with error logging:

$log_file = 'sysmon-uninstall.log'

$items = @(
"HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64",
"HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv",
"HKLM:\SYSTEM\ControlSet001\Services\Sysmon64",
"HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv",
"HKLM:\SYSTEM\ControlSet002\Services\Sysmon64",
"HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv",

"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Micros
oft-Windows-Sysmon/Operational",

"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577
0385f-c22a-43e0-bf4c-06f5698ffbd9}",
"HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-
Microsoft-Windows-Sysmon-Operational"
)

foreach ( $i in $items ) {
$error.Clear();
Remove-Item -Path $i -Force -Recurse -ErrorAction SilentlyContinue
If($error) {
$result = $error.Exception.Message
} Else {
$result = "O : $i"
}
Write-Output "$result".ToString() | Out-File -Filepath $log_file -
Append -NoClobber -Encoding UTF8
}
view rawsysmon-reg-keys-deleter hosted with ❤ by GitHub

The output from my clean install above was (note O means successfully deleted):
O : HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64
O : HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv
Cannot find path 'HKLM:\SYSTEM\ControlSet001\Services\Sysmon64' because it do
es not exist.
Cannot find path 'HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv' because it d
oes not exist.
Cannot find path 'HKLM:\SYSTEM\ControlSet002\Services\Sysmon64' because it do
es not exist.
Cannot find path 'HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv' because it d
oes not exist.
O : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft
-Windows-Sysmon/Operational
O : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577038
5f-c22a-43e0-bf4c-06f5698ffbd9}
O : HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-
Windows-Sysmon-Operational

Then, after a reboot, you can


delete C:\Windows\SysmonDrv.sys (and C:\Windows\Sysmon64.exe if you haven’t
already). If you run sysmon-checks.ps1 again you’ll get this:
X : C:\Windows\Sysmon64.exe
X : C:\Windows\SysmonDrv.sys
X : HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64
X : HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv
X : HKLM:\SYSTEM\ControlSet001\Services\Sysmon64
X : HKLM:\SYSTEM\ControlSet001\Services\SysmonDrv
X : HKLM:\SYSTEM\ControlSet002\Services\Sysmon64
X : HKLM:\SYSTEM\ControlSet002\Services\SysmonDrv
X : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft
-Windows-Sysmon/Operational
X : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{577038
5f-c22a-43e0-bf4c-06f5698ffbd9}
X : HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-
Windows-Sysmon-Operational
: Sysmon64
: SysmonDrv

And then you can install as normal!

You might also like