SFC unable to repair Server 2019 Datacenter Terminal Server

Code: 
SFCFix version 3.0.2.1 by niemiro.
Start time: 2022-03-08 15:58:22.364
Microsoft Windows Server 10 Build 17763 - amd64
Using .txt script file at C:\Users\adm-david\Desktop\SFCFixScript.txt [0]




FileScan::
[0: 1] C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1_none_3f5a01e7dbc22676\tls_branding_config.xml
 Expected: UNKNOWN Found: Nd2mP1AfC3GnXAsSGH6bJXo5ZXuI3HVN9K/52O5Oock=
 Expected: 10.0.17763.1 Found: Version number not available.
Successfully traced component amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1_none_3f5a01e7dbc22676.
Microsoft-Windows-Server-Gui-Mgmt-Package-termsrv~31bf3856ad364e35~amd64~~10.0.17763.1.Microsoft-Windows-Server-Gui-Mgmt-Package-termsrv



[1: 1] C:\Windows\WinSxS\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1_none_e33b66642364b540\tls_branding_config.xml
 Expected: UNKNOWN Found: W8EhyWdKXfPXApHjAJ8uodWON0+uYGluNK7rRuiGy18=
 Expected: 10.0.17763.1 Found: Version number not available.
Successfully traced component x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1_none_e33b66642364b540.
Microsoft-Windows-Server-Gui-Mgmt-Package-termsrv~31bf3856ad364e35~amd64~~10.0.17763.1.Microsoft-Windows-Server-Gui-Mgmt-Package-termsrv



[2: 2] C:\Windows\WinSxS\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\tls_branding_config.xml
 Expected: UNKNOWN Found: w7Koxnm4mCmxc80FvfpGrLGyim1Nom/PApU4ejhakmI=
 Expected: 10.0.17763.1075 Found: Version number not available.
Failed to trace component x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e with return code -3.

 [C:\Windows\SysWOW64\tls_branding_config.xml]


[3: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2366.1.5\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\f\tls_branding_config.xml
File is untraceable.
 Found: JUtV/+uSJzyL7s0uKnLLITK8gyC3bUDg8roCgrdMPzo=
 Version number not available.
Trace not available.



[4: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2366.1.5\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\f\tls_branding_config.xml
File is untraceable.
 Found: UeJzxjb/Z6XrM+heHvI9IzpQBm6Y3IIq01KCf3b9Yt0=
 Version number not available.
Trace not available.



[5: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2366.1.5\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\r\tls_branding_config.xml
File is untraceable.
 Found: c/ShwF99sK/ZaWCrHoC4WLBLPXyRcUIUmME87LOPkLQ=
 Version number not available.
Trace not available.



[6: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2366.1.5\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\r\tls_branding_config.xml
File is untraceable.
 Found: MZ8HrEKLv9M2bNtAhVfuamSQJfMCH2A8L/O3pYc71BY=
 Version number not available.
Trace not available.



[7: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2452.1.5\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\f\tls_branding_config.xml
File is untraceable.
 Found: UeJzxjb/Z6XrM+heHvI9IzpQBm6Y3IIq01KCf3b9Yt0=
 Version number not available.
Trace not available.



[8: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2452.1.5\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\r\tls_branding_config.xml
File is untraceable.
 Found: MZ8HrEKLv9M2bNtAhVfuamSQJfMCH2A8L/O3pYc71BY=
 Version number not available.
Trace not available.



[9: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2452.1.5\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\f\tls_branding_config.xml
File is untraceable.
 Found: JUtV/+uSJzyL7s0uKnLLITK8gyC3bUDg8roCgrdMPzo=
 Version number not available.
Trace not available.



[10: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2452.1.5\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\r\tls_branding_config.xml
File is untraceable.
 Found: c/ShwF99sK/ZaWCrHoC4WLBLPXyRcUIUmME87LOPkLQ=
 Version number not available.
Trace not available.



[11: 1] C:\SFCFix\Backups\C\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
File is untraceable.
 Found: jmra94EUf4d4DB3TfmO1KfSklILVQaf0F/5GRY85UEc=
 Version number not available.
Trace not available.



[12: 1] C:\SFCFix\Backups\C\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
File is untraceable.
 Found: tF2Q5DUn4Ri0ANh0hoIN2EYJEvq9HvFH5lSxr8DUN4w=
 Version number not available.
Trace not available.



[13: 2] C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
 Expected: UNKNOWN Found: tF2Q5DUn4Ri0ANh0hoIN2EYJEvq9HvFH5lSxr8DUN4w=
 Expected: 10.0.17763.1 Found: Version number not available.
Successfully traced component amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202.
Microsoft-Windows-TerminalServices-Licensing-UI-Package~31bf3856ad364e35~amd64~~10.0.17763.1.Licensing-UI

 [C:\Windows\System32\LServer_PKConfig.xml]


[14: 2] C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
 Expected: UNKNOWN Found: jmra94EUf4d4DB3TfmO1KfSklILVQaf0F/5GRY85UEc=
 Expected: 10.0.17763.1075 Found: Version number not available.
Failed to trace component amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4 with return code -3.

 [C:\Windows\System32\tls_branding_config.xml]


[15: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2565.1.7\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\f\tls_branding_config.xml
File is untraceable.
 Found: JUtV/+uSJzyL7s0uKnLLITK8gyC3bUDg8roCgrdMPzo=
 Version number not available.
Trace not available.



[16: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2565.1.7\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\f\tls_branding_config.xml
File is untraceable.
 Found: UeJzxjb/Z6XrM+heHvI9IzpQBm6Y3IIq01KCf3b9Yt0=
 Version number not available.
Trace not available.



[17: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2565.1.7\x86_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_40297fed9ced069e\r\tls_branding_config.xml
File is untraceable.
 Found: c/ShwF99sK/ZaWCrHoC4WLBLPXyRcUIUmME87LOPkLQ=
 Version number not available.
Trace not available.



[18: 1] C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2565.1.7\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\r\tls_branding_config.xml
File is untraceable.
 Found: MZ8HrEKLv9M2bNtAhVfuamSQJfMCH2A8L/O3pYc71BY=
 Version number not available.
Trace not available.
FileScan:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2022-03-08 15:58:53.991
Script hash: 6X3h71FCSO1O8YHnkXDDKY9GaUaGskuP/lGIDqy0WJA=
----------------------EOF-----------------------
 
Thank you, could you please try the following:

SFCFixScript.txt
Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.
  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the attached file, SFCFixScript.txt, and save this to your Desktop. Ensure that this file is named SFCFixScript.txt - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFixScript.txt.
  5. Drag the file SFCFixScript.txt onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a log should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.[/list]
 

Attachments

Code: 
SFCFix version 3.0.2.1 by niemiro.
Start time: 2022-03-09 08:14:04.471
Microsoft Windows Server 10 Build 17763 - amd64
Using .txt script file at C:\Users\adm-david\Desktop\SFCFixScript.txt [0]




CreateHardlink::
Failed to create hardlink from file C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml to C:\windows\System32\LServer_PKConfig.xml with error code ERROR_ALREADY_EXISTS.
Failed to create hardlink from file C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml to C:\windows\System32\tls_branding_config.xml with error code ERROR_ALREADY_EXISTS.
CreateHardlink:: directive failed to complete successfully.




Failed to process all directives successfully.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2022-03-09 08:14:04.471
Script hash: gdEdtCBOra6UqHUUayS2EWV8iXAMsoSsYzeNlHOASx4=
----------------------EOF-----------------------
 
Could you please enter the following into a command prompt:

Rich (BB code): 
fsutil hardlink list C:\Windows\System32\LServer_PKConfig.xml
fsutil hardlink list C:\Windows\System32\tls_branding_config.xml
 
Code: 
C:\windows\system32>fsutil hardlink list C:\Windows\System32\LServer_PKConfig.xml
\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
\Windows\System32\LServer_PKConfig.xml

C:\windows\system32>fsutil hardlink list C:\Windows\System32\tls_branding_config.xml
\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
\Windows\System32\tls_branding_config.xml

C:\windows\system32>
 
Thanks, I'm going to ask for some advice on this one. The payload files appear to be linked to the correct WinSxS folder. I'm not sure why it reverts the changes on a reboot?
 
Apologises for the delay, could you please run the following commands from a command prompt window:

Rich (BB code): 
fsutil hardlink list C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml

fsutil hardlink list C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
 
Code: 
C:\windows\system32>fsutil hardlink list C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
\Windows\System32\tls_branding_config.xml

C:\windows\system32>fsutil hardlink list C:\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
\Windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
\Windows\System32\LServer_PKConfig.xml

C:\windows\system32>
 
Thank you, could you please follow these steps, there will be a couple so I'll explain what the purpose of each one is:

SFCFixScript.txt

  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the attached file, SFCFixScript.txt, and save this to your Desktop. Ensure that this file is named SFCFixScript.txt - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFixScript.txt.
  5. Drag the file SFCFixScript.txt onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a log should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

This will create a .zip file on your desktop called LServer_PKConfig.zip. Please attach it in your next post. I just want to see what is actually happening to the file over a reboot and if the file is actually corrupt or just changed.



SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.


  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the file below, SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
  5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
  8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

This is the same fix we'll applied in the past, however, this time could you please run sfc /scannow twice in succession without rebooting. Please post the output of both runs. This step is to establish if the file is becoming corrupt again over a reboot or because there is an issue with the hardlink between the WinSxS folder and the System32 directory.
 

Attachments

Code: 
SFCFix version 3.0.2.1 by niemiro.
Start time: 2022-03-17 10:07:26.566
Microsoft Windows Server 10 Build 17763 - amd64
Using .txt script file at C:\Users\adm-david\Desktop\SFCFixScript.txt [0]




Zip::
Successfully copied file C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml to zip file at C:\Users\adm-david\Desktop\LServer_PKConfig.zip.
Zip:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2022-03-17 10:07:28.658
Script hash: 5YNcuEAiGl3T+AcNO/CrLetWFvs/kWnS75VAJRB2Zos=
----------------------EOF-----------------------
 

Attachments

Thank you, looks like the two xml files have different data which would explain why the hashes are different. Could you please complete the second half of my suggestion and then post the outcome?
 
Sorry, missed that.

Code: 
C:\windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

C:\windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

C:\windows\system32>
 

Attachments

sigh It was not.

Code: 
SFCFix version 3.0.2.1 by niemiro.
Start time: 2022-03-17 15:06:51.609
Microsoft Windows Server 10 Build 17763 - amd64
Using .zip script file at C:\Users\adm-david\Desktop\SFCFix.zip [0]




PowerCopy::
Successfully took permissions for file or folder C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully took permissions for file or folder C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml

WARNING: File C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml was not backed up as that would replace the current backup.
Successfully copied file C:\Users\adm-david\AppData\Local\niemiro\Archive\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml to C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml.
WARNING: File C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml was not backed up as that would replace the current backup.
Successfully copied file C:\Users\adm-david\AppData\Local\niemiro\Archive\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml to C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml.

Successfully restored ownership for C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully restored permissions on C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully restored ownership for C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
Successfully restored permissions on C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
PowerCopy:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2022-03-17 15:06:51.906
Script hash: pRJjp3ChLjr0HeOJD06K8JwaBy2c2dAbsxKzguLDT6Q=
----------------------EOF-----------------------

Code: 
C:\windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\windows\system32>
 

Attachments

Your CBS log looks fine now so the issue appears to occur only when you reboot the system? Could you please download and install Sysmon using the following instructions:
  1. Download the attached configuration file and then save it to your desktop.
  2. Download Sysmon from the Sysinternals site and the save it to a suitable location such as your desktop.
  3. Install Sysmon using the following command from an elevated command prompt, please ensure that you run the command in the same directory as the Sysmon executable.
Rich (BB code): 
sysmon -i -accepteula %userprofile%\Desktop\SysmonConfig.xml

Sysmon should be successfully installed and running. The configuration file has been configured so it will only log changes made to the two .xml files which appear to becoming corrupt across a reboot.

After rebooting, please provide the Sysmon event log using the following command from an elevated command prompt:

Rich (BB code): 
wevtutil epl Microsoft-Windows-Sysmon/Operational %userprofile%\Desktop\Sysmon.evtx

To uninstall Sysmon, then please enter the following command:

Rich (BB code): 
sysmon -u
 

Attachments

It seems like it doesn't like the XML config file
Code: 
c:\Users\adm-david\Desktop>sysmon -accepteula -i %userprofile%\Desktop\SysmonConfig.xml


System Monitor v13.33 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2022 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.81
No declaration for attribute contains of element TargetFilename
No declaration for attribute contains of element TargetFilename
LIBXML2 Error: Failed to validate the xml configuration: C:\Users\adm-david\Desktop\SysmonConfig.xml
Usage:
Install:                 Sysmon.exe -i [<configfile>]
Update configuration:    Sysmon.exe -c [<configfile>]
Install event manifest:  Sysmon.exe -m
Print schema:            Sysmon.exe -s
Uninstall:               Sysmon.exe -u [force]
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -i   Install service and driver. Optionally take a configuration file.
  -m   Install the event manifest (done on service install as well)).
  -s   Print configuration schema definition of the specified version.
       Specify 'all' to dump all schema versions (default is latest)).
  -u   Uninstall service and driver. Adding force causes uninstall to proceed
       even when some components are not installed.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in
the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On
older systems, events are written to the System event log.

Use the '-? config' command for configuration file documentation. More examples are available on the Sysinternals
website.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to
accept it.

Neither install nor uninstall requires a reboot.


c:\Users\adm-david\Desktop>
 
Sorry, I can see my mistake now. Could you please try the one attached? I've just tested it on a VM and it appears to install with no issues.
 

Attachments

Thank you, did you reboot after installing Sysmon?

If not, could you please run the SFCFix .zip file from post #49 and then reboot the system once it has successfully copied over the files to your WinSxS folder. After rebooting the server, please provide the event log as you did before.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top