Client systems with Microsoft Sysmon installed become unresponsive at the Windows Login screen upon boot


Article ID: 169791


Updated On:


Endpoint Protection


After an upgrade to Endpoint Protection 14, Windows 7 client systems which have installed Microsoft Sysmon 6.03 become unresponsive upon Windows Login screen after the boot process.

If Sysmon or the Endpoint Protection client are removed, the issue no longer occurs.

There is no distinct error message.  Windows will become unresponsive on or before the login screen after boot, either after or prior to login prompt.


This issue is caused by a deadlock between Endpoint Protection AutoProtect driver and Sysmon Filter drivers.  


Microsoft Sysmon 6.03, installed on Windows 7 based clients, with Symantec Endpoint Protection 14+ and latest definitions.


Resolve the deadlock condition by excluding Endpoint Protection folders from monitoring within Sysmon Configuration XML.  The following paths are relative to your install path and system configuration:

  • \Program Files\Symantec\Symantec Endpoint Protection Manager\
  • \Program Files\Symantec\Symantec Endpoint Protection\
  • \ProgramData\Symantec\Symantec Endpoint Protection Manager\
  • \ProgramData\Symantec\Symantec Endpoint Protection\
  • \Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection Manager
  • \Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
  • \Program Files(x86)\Symantec\Symantec Endpoint Protection Manager

For steps to add these exclusions, see or consult the SysMon Administrator.