Sysmon service - security descriptors and recover options
To prevent user tampering and recover from process crashes, when installing sysmon I used to modify the security descriptors on the service to remove Admin's ability to stop it and set the recovery options to restart after 1st, 2nd and subsequent…
How to temporarily stop as much as possible Microsoft network traffic on a potentially compromised machine
I need to connect my potentially compromised Win10 machine to the network briefly to determine any attempted target endpoint addresses, while blocking the actual connections at the edge firewall. However, various Microsoft products are generating an…
Delete the white line and the logo
So I have just signed in my Microsoft Teams school's account and I found out when I press "Type here to search", up on the "All" is the white line with my school's logo. How can I remove this? Please tell me because I feel like I am…
400% difference in CPU usage between "Task Manager" and "Sysinternal's Process Explorer"
On one specific server I have 400% difference in CPU usage between "Task Manager" and "Sysinternal's Process Explorer" (both picture taken on the same screenshot, so at the exact same time). What can be the cause of this…
"Autologon SysInternals" app is not working after enrolling the device in Intune
Our customer uses "Autologon SysInternals" app to enable autologon with saved password for some the devices. Once we enroll such device in Intune, "Autologon SysInternals" app fails its purpose and autogon with save password in not…
How to make way for powershell to run a script when error 15100 is in the way?
In order to run a script from https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_scripts?view=powershell-7.4 (the Get-servicelog.ps1) it is needed the error with McpManagementService be addressed (see…
Can't uninstall Sysmon 15.5 - access denied
Hello, I've tried multiple suggestions of other posts, nothing worked. When I try to uninstall sysmon using the same installer used to install it, I get: Stopping the service failed: The system cannot find the file specified Deleteervice failed: …
autoruns shows MS file bthhfenum.sys not verified (Windows 10 Home)
When I run autoruns, it shows a file that is not verified that is supposed to be provided from microsoft. VirusTotal does not consider it a threat. Is this something I should be concerned about? My Windows 10 home edition is up to date. …
Sysmon's reported CommandLine adds extra percent characters on Process Create events
When launching a process with a percent sign in the command line arguments, Sysmon adds an additional percent character for each one in the actual command line arguments. This issue is observed in both v13.24 and Sysmon 15.15 on at least Windows 10. For…
Accessibility of Microsoft Applications
Hi Community, I have been facing an issue with the accessibility settings on my mobile device for some of the microsoft apps like authenticator, defender, link to windows and launcher. When I turn the access on for them after some time it is turned back…
Process information missing from network connection events
I'm verifying my Sysmon-configuration file with test scripts inspired by Atomic Red Team. When testing my NetworkConnect-rules (Event ID 3), one of my scripts are using wget from GnuWin32. Checking the result I saw that the event logged doesn't…
Resize and align Process Explorer tool bar graphs
I think it would be very nice if all mini graphs in the tool bar of Sysinternals' Process Explorer were of equal size by default. They could/should use the total available width and automatically be resized when the window is resized. Please also include…
Autoruns 14.11 dark mode has black text instead of white/gray text on Windows 11
The screenshot below shows black text while Autoruns 14.11 is in dark mode on Windows 11. Ideally, the text should be white or gray while in dark mode. Can someone please look into this issue and provide a resolution?
Autoruns looks bad in 4K
Try running Autoruns on a 4K monitor, or any other HDPI display. You will almost not be able to read the entries.
One value in registry the dvr_fsebehavior is prone to discard its set value for other than the default; what can bind it in place?
hi, it is highly important the value to remain at (2) not at default (1). Safety cooperates with bcdedit/set to permit fullscreen modes without risk of physical impact which can be extreme gradually & imperceptibly. However the value is discarded of…
How to address system faults in relation to storage I/O issues which debilitate user experience?
Hi, I mean to query these faults in Events becuase they are esteemed relevant to errors with a storage disk, namely the events 154, 157, and 51. By backing up the disk and formatting it, then re-writing the data back to it, these faults below were…
Trying to find out what is uninstalling a program
Hi Team, I've been trying to install a program onto a managed pc and everything installs fine but a minute later the program will be deleted or uninstalled. I've ran Process Monitor and trying to find out what is uninstalling it, and it looks like the…
New startup registry key in Windows 10/11, NOT captured within autoruns
Hi All, While researching the startup behavior of Windows Container (Windows Metro) Apps , like the ones installed through Microsoft Store or native to System (xbox/phone, etc), I came across a new registry key location (different from the known…
Sysmon tries to connect to internet
Sysmon64.exe tried to connect to two hosts 192.229.221.95 and 152.199.19.74 According to whois services they are belongs to EDGECAST network. Is that normal behavior?
Autoruns latest version not detecting scheduled tasks on windows 11
Windows 10 detects them fine all as it should