Sysmon is a cool tool and we love it. Sometimes it does not work as expected though.

It’s late so just dropping another recipe here:

• Name your DLL wevtapi.dll
• Run sysmon.exe -u to … ‘uninstall’ it
• Your DLL will be loaded

You can also drop Riched32.dll in the same directory and try to ‘install’ sysmon – you will notice the EULA box is loaded incorrectly, because the side-loaded Riched32.dll DLL will take over and will execute your code.