No Sysmon Event ID 1 events are being logged

[lindonzoo]

Hi all,

Using Sysmon v11 on a fresh install of Windows Server 2016.

Installed Sysmon via elevated PS:

.\Sysmon64.exe -i ..\..\Desktop\sysmon.xml

Output from command:

System Monitor v11.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.22
Sysmon schema version: 4.30
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.

I can see events for process termination, DNS etc but not process creation.

I am not sure if the following points to any clues on the issue:

Loading configuration file with schema version 4.22
Sysmon schema version: 4.30

I have also tried Sysmon.exe (as opposed to Sysmon64.exe) with no luck.

Anyone else seen this?

[Iveco]

Known Bug in Sysmon, wait for Update from Mark.

[jokezone]

I first saw this reported on 05 May here:

https://twitter.com/S0xbad1dea/status/1257699725786177536?s=19

[daniaabujuma]

Hi, can anyone help by telling me how this issue was solved? I am facing the same issue currently, as I have downloaded sysmon on multiple devices, and event ID 1 is working on some of them and not working on the rest. Please advise.