Windows 10: strange path in Sysmon logs

HelloIn Windows 10 Enterprise 22 H2, a strange path in TargetFilename sometimes appears in Sysmon logs:TargetFilename: C:\Users\P310C~1.ZNO\AppData\Local\Temp\7b542cd6-d613-4e52-bfdf-b80fe911ff30.tmpAnd in the next event, the path is normal:TargetFilename: C:\Users\p.znosko\AppData\Local\Temp\7b542cd6-d613-4e52-bfdf-b80fe911ff30.tmpWhen I go to this directory, I will be taken to my user's folder C:\Users\p .znosko\fsutil hardlink list C:\Users\P310C~1.ZNO\NTFSLinksView.exe in C:\Users\ does not see linksI would like to understand what kind of a strange path this is C:\Users

:)

 

Sysmon DNS Query Support

Hello，

Welcome to Microsoft Community.

The behavior you're encountering with the Sysmon Event ID 22 for DNS Query logs is related to how Sysmon formats its output for these events, particularly the QueryResults field. In Sysmon Event ID 22, the QueryResults field typically lists the results of the DNS query, such as IP addresses for A records, CNAME records, etc.



Your observation concerns the absence of type: 1 in the QueryResults field, where you expect it to precede the IP addresses, indicating A records (IPv4 addresses). This formatting expectation might stem from documentation or examples that specify DNS record types explicitly in the logs.



However, Sysmon's actual logging behavior for the QueryResults might not always include the explicit mention of type: 1 for A records. Instead, Sysmon directly lists the resolved IP addresses. The inclusion of DNS record types (like A, CNAME, MX, etc.) in the QueryResults is not a standard feature of Sysmon logging as of the versions up to my last update. The logs focus on the results of the DNS query (i.e., the IP addresses or other records resolved) without necessarily specifying the record type in a structured format like type: X.



If you need to distinguish between different types of DNS records (A, CNAME, etc.) in your monitoring or analysis, you might have to look into additional logging solutions or DNS monitoring tools that provide more detailed information about DNS queries and responses, including explicit record types.



Sysmon is highly customizable through its configuration, but its output format for certain types of logs, like DNS queries, is determined by the tool's internal logic and may not provide all the details you're looking for directly in the log entries. For more specific behavior or output formatting, consider supplementing Sysmon with other DNS analysis or logging tools that offer more granular insights into DNS queries and responses.

Thank you for your patience and understanding!

Regards，

Manson |Microsoft Community Support Specialist

 

Sysmon Installation Confusion- Did I Get Rid of It?

I decided to download Sysmon from here Sysmon - Sysinternals and I extracted the files into my Downloads path, just like I did with Rammap a couple months ago

inside the folder was a EULA, Sysmon, Sysmon64, and Sysmon64a with the generic .exe logo; they belonged to www.sysinternals.com and the copyright was Mark Russinovich

anyway, I realized Sysmon wasn't just something I could click Run as Administrator with, since it didn't work the numerous times I tried, not realizing it needed CMD, so I opted to just get rid of it, since there was also no Event Log for Sysmon in Event Viewer, under the Applications > Microsoft path

I deleted the folder in its entirety, as well as the original zip, and even put "sysmon64 -u [force]" and "sysmon -u [force]" into CMD, but it told me that sysmon was not a recognized internal or external command, file/hash, etc.

i then restarted my PC, there's no sysmon folder, there's no sysmon log in Event Viewer, and CMD continues to say that it doesn't exist. so am I clear of it? have I removed Sysmon from my PC? I didn't do any other commands with it in CMD other than the attempted uninstall prompt

 

Sysmon DNS Query Support

I have been trying to generate Sysmon Event ID 22 DNS Query logs using the below xml format

<Sysmon schemaversion="4.90">

<EventFiltering>

<DnsQuery onmatch="exclude" />

</EventFiltering>

</Sysmon>

But I am only able to see logs with QueryResults: type: 5 and not any other number in place of 5. Example values like type: 1, type: 2, type: 3 etc.. How do I generate logs with different numbers for type field in QueryResults? Can you let me know the xml format that can be used to generate them?