Sysinternals Update June 2020

GREAT additions to Sysmon!

Thanks, for me it was an very good and clearly detailed presentation about interacting features of sysinternal parts.

Now please update Autoruns, Process Explorer and Process Monitor with the option to remove window title, because it is the main way for malware to detect them running.
I made the request on Sysinternals forums quite a long time ago, but no changes yet :)

Excellent, congrants!!

Wow, thanks for not forgetting about SysInternals tools, thanks for maintaining this on the side! Perhaps VMMap supporting Fragmentation View for x64 one day, and why does RAMMap take so much RAM, +1500 MB, really necessary?

You are great!! When is next Case of unexplained.... Series?

v11.00, well I'm testing with V11.10, seems to include several 'CopyOnDelete....' configuration entries in addition to the new DnsLookup and ArchiveDirectory. For the new EventID 23 (FileDelete) there is an explicit addition of the default c:\Sysmon path where all deleted files are (well) 'archived'. It seems the only way to disable the ArchiveDirectory, and I guess more specifically the CopyOn-Delete#### variants is to disable event logging of EventID 23. It seems so because in the configuration section trying something like fubar on a schema declaration of 4.3, well I'm trying 4.32 with Sysmon v11.10, yields an error that CopyOnDeleteExtensions isn't expected. Of course I'm guessing on that declaration syntax because I have spent the better part of a week trying to find a single example of the syntax in use, Sysmon itself doesn't provide clarity nor has any browser based search turned anything up. Maybe it's just me, but learning is good so if someone has answers (examples) I'm all eyes! So for now I'm wondering if enabled EventId 23 for FileDelete is effectively enabling DOS per-host where it is done, wondering because unless you think about the vague descriptions of ArchiveDirectory the C:\Sysmon (for that matter the root on every mount has a \Sysmon), that folder is consumming free space and eventually things will get full. When I first relazied this as saw the reference to 'psexec.exe -sid cmd' to delete the files a 'del *' ran for over 2 hours deleting (oh, and there were (are) some files that cannot be deleted even then). So, I'm eyes wide open for a solution.

Can we get option added to zoomit draw function that allow us to change draw pointer from dot to other options like larger laser pointer dot or small icon of pencil?

Neato. Why does urlmon.dll (shown at 10:23) show a Timestamp of 3/28/1925?

Need to try it but possibly a fix for windows7 empty of trashbin which seems to hang w/ the dialogue popup stating that it is discovering?

Sir I am photographer Lot of image files (Jpg and Cr2 files) are available in my windows 10 system, but not able to see and use them tried hard to retrive them but failed if can kindly guide me, Sir.

Would like to ask a few questoin about installing the sysinternals ,
hope you could help me on this .
I can't install sysinternals by running the following command in powershell 7.0.3
Install-Package -Name sysinternals
Get-PackageSource shows
Name PSGallery
ProviderName = PowerShellGet
IsTrusted = False
Location = https:/www.powershellgallery.com/api/v2
Get-Package -Name chocolatey shows
Name = chocolatey
Version = 0.0.79
Source = https:/www.powershellgallery.com/c...
ProviderName = PowershellGet
what should i do ....