This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 62%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Running sysmon 15.12 with a pretty robust config that's a combination of open source (swiftonsecurity, etc) and my own rules.
I am noticing a peculiar behavior in 15.12 where after running normal/stable for a while, sysmon decides to consume an entire CPU core and stops logging FileCreate and FileExecutableDetected events. Other events at this time are continuing to be logged. Not yet sure if that's the symptom/clue or a red herring, but a restart typically fixes the issue: back to low CPU utilization and the events begin being logged, until something happens and it's back to high CPU + no file-related events.
Anyone experiencing anything similar?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 6%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
What's the general memory situation on the computer? Anything special when this happens?
Based on your comments on https://techcommunity.microsoft.com/t5/sysinternals-blog/sysmon-v15-14/bc-p/4135680#M668 I was able to confirm that the lack of File-related events is directly linked to sysmon crashes, which are occasionally occuring upon config re-load. So in that regard, we are upgrading to 15.14 to hopefully eliminate this issue.
I haven't figured what the high CPU utilization is related to, because it occurs a lot less frequently, but will take another look once we (hopefully) eliminate the crashes with 15.14. Memory utilization hasn't been mentioned to me as a concern, but I haven't independently verified this.
I'm especially curious whether the system is engaging in "more" paging at the time.