Hi there - hopefully someone can help with this:

I am trying to deploy sysmon via a deployment app however it looks like the script is having some issues: I can see the following error from the splunkd logs:

08-03-2022 10:54:32.982 +0800 ERROR ExecProcessor [15204 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\CONF_corp_sysmon\bin\deploy.bat"" Sharing violation

I can run the script manually with no issues. Any idea's would be much appreciated!

The deploy.bat file is as follows:

IF EXIST "C:\Program Files (x86)" (
SET BINARCH=Sysmon64.exe
SET SERVBINARCH=Sysmon64
) ELSE (
SET BINARCH=Sysmon.exe
SET SERVBINARCH=Sysmon
)

SET SYSMONDIR=C:\windows
SET SYSMONBIN=%SYSMONDIR%\%BINARCH%
SET SYSMONCONFIG=%SYSMONDIR%\config.xml

SET GLBSYSMONBIN="%programfiles%\splunkuniversalforwarder\etc\apps\CONF_corp_sysmon\bin\%BINARCH%"
SET GLBSYSMONCONFIG="%programfiles%\splunkuniversalforwarder\etc\apps\CONF_corp_sysmon\bin\config.xml"

sc query "%SERVBINARCH%" | Find "RUNNING"
If "%ERRORLEVEL%" EQU "1" (
GOTO startsysmon
)

:installsysmon
xcopy %GLBSYSMONBIN% %SYSMONDIR% /y
xcopy %GLBSYSMONCONFIG% %SYSMONDIR% /y
chdir %SYSMONDIR%
%SYSMONBIN% -i %SYSMONCONFIG% -accepteula -h md5,sha256 -n -l
sc config %SERVBINARCH% start= auto

:updateconfig
xcopy %GLBSYSMONCONFIG% %SYSMONCONFIG% /y
chdir %SYSMONDIR%
%SYSMONBIN% -c %SYSMONCONFIG%
EXIT /B 0

:startsysmon
sc start %SERVBINARCH%
If "%ERRORLEVEL%" EQU "1060" (
GOTO installsysmon
) ELSE (
GOTO updateconfig
)