Sysmon de-installed. Still many EventID 1001, APPCRASH Sysmon64.exe (every 20 sec)

[Wim277]

Running Windows Server 2019 (1809) on physical hardware Installed Sysmon64 on this domain controller. After a while I started seeing EventID 1001's, many of them, about every 20 seconds. So I thought of re-installing. I did in CMD as admin: sysmon64.exe -u force. The printout stated that it was uninstalled. But still receiving there windows events....even after a reboot.

Fault bucket , type 0 Event Name: APPCRASH Response: Not available Cab Id: 0

Problem signature: P1: Sysmon64.exe P2: 11.1.0.0 P3: 5eea6ff6 P4: ntdll.dll P5: 10.0.17763.1613 P6: 999e93ac P7: c0000005 P8: 0000000000061177 P9: P10:

Analysis symbol: Rechecking for solution: 0 Report Id: 4df20b09-51de-4626-9962-be08132f9d87 Report Status: 4196 Hashed bucket: Cab Guid: 0

Please advice Best regards. Wim

[Wim277]

My other domaincontroller, server 2016, does not have these issues. Same sysmon64 version is used

[Wim277]

fltmc.exe does not list the Sysmondrv, but still getting APPCRASH reports in eventvwr.

[Hudi233]

Hi friend! I had the same problem. Have you solved it yet?

[dprezzz]

Couple years later, Sysmon64 v15.11 installed uninstalled and Sysmon v15.22 install uninstall, all files delted, domain controller. Still 1001 error from Sysmon64.exe...how?