You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I faced a bug in Sysmon (ver. 7.01 and 7.03) - Sysmon's driver (SysmonDrv.sys) consumes new area in Nonpaged pool memory every time configuration reloads, but driver does not free old area in Nonpaged pool memory. As a result, We can see memory leak. I found this problem on my VM, which had only 4GB RAM and more than 180 uptime days.
I used this script to reproduce bug:
$sleep = 0
$ErrorActionPreference = "SilentlyContinue"
$iterationPeriod = New-TimeSpan -Seconds 2
$scriptDuration = New-TimeSpan -Hours 1
$scriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
while($scriptStopWatch.ElapsedMilliseconds -le $scriptDuration.TotalMilliseconds)
{
if($sleep -gt 0){Start-Sleep -Milliseconds $sleep }
$iterationStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
Invoke-Expression 'C:\Windows\Sysmon64.exe -c "C:\Windows\SysmonConfig.xml"' |Out-Null
$iterationStopWatch.Stop()
$iterationTime = $iterationStopWatch.Elapsed
$sleep = $iterationPeriod.TotalMilliseconds - $iterationTime.TotalMilliseconds
}
$scriptStopWatch.Stop()
SysR is Sysmon driver tag, as you see, it took 252313744 Bytes (240 MBytes)
The text was updated successfully, but these errors were encountered:
I faced a bug in Sysmon (ver. 7.01 and 7.03) - Sysmon's driver (SysmonDrv.sys) consumes new area in Nonpaged pool memory every time configuration reloads, but driver does not free old area in Nonpaged pool memory. As a result, We can see memory leak. I found this problem on my VM, which had only 4GB RAM and more than 180 uptime days.
I used this script to reproduce bug:
$sleep = 0
$ErrorActionPreference = "SilentlyContinue"
$iterationPeriod = New-TimeSpan -Seconds 2
$scriptDuration = New-TimeSpan -Hours 1
$scriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
while($scriptStopWatch.ElapsedMilliseconds -le $scriptDuration.TotalMilliseconds)
{
if($sleep -gt 0){Start-Sleep -Milliseconds $sleep }
$iterationStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
Invoke-Expression 'C:\Windows\Sysmon64.exe -c "C:\Windows\SysmonConfig.xml"' |Out-Null
$iterationStopWatch.Stop()
$iterationTime = $iterationStopWatch.Elapsed
$sleep = $iterationPeriod.TotalMilliseconds - $iterationTime.TotalMilliseconds
}
$scriptStopWatch.Stop()
SysR is Sysmon driver tag, as you see, it took 252313744 Bytes (240 MBytes)
The text was updated successfully, but these errors were encountered: