Git bash.exe and cp.exe launches processes but does not integrate well with Sysmon for events.

[bassn0ise]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

$ git --version --build-options

git --version --build-options
git version 2.27.0.windows.1
cpu: x86_64
built from commit: 907ab1011dce9112700498e034b974ba60f8b407
sizeof-long: 4
sizeof-size_t: 8

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.18363.959]
(c) 2019 Microsoft Corporation. All rights reserved.

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Editor Option: VIM
Custom Editor Path:
Path Option: Cmd
SSH Option: OpenSSH
Tortoise Option: false
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: MinTTY
Git Pull Behavior Option: Merge
Performance Tweaks FSCache: Enabled
Use Credential Manager: Enabled
Enable Symlinks: Disabled
Enable Pseudo Console Support: Disabled

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

N/A

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

cp /c/users/name/desktop/test.txt /c/users/other/desktop/test.txt

• What did you expect to occur after running these commands?

I expected to see in the Windows Sysmon Event 1 the entire command string.
Example: CommanLine: "C:\Program Files\Git\usr\bin\cp.exe /c/users/name/desktop/test.txt /c/users/other/desktop/test.txt"

• What actually happened instead?

The log captured is only that cp.exe was used.
Example: CommanLine: "C:\Program Files\Git\usr\bin\cp.exe"

• If the problem was occurring with a specific repository, can you provide the
  URL to that repository to help us with testing?

https://git-scm.com/download/win

[rimrul]

As far as we're concerned cp works as expected. It copies things. We also seem to consume the upstream coreutils package as-is, so maybe upstream (or maybe Cygwin or Sysmon) is a more appropriate place for this discussion.

Feel free to work on getting MSYS2 parameter handling compatible with Sysmon, but it's pretty low priority for us.

[dscho]

I think we probably inherit this behavior from Cygwin. @bassn0ise could you verify with a copy of https://cygwin.com?

[dscho]

I did some digging (since a nice colleague of me prodded me gently), and it turns out that this is actually intended behavior (see e.g. this thread). The suggested remedy was to set the CYGWIN variable to wincmdln (in Git for Windows' and MSYS2's context, that would be the MSYS variable).

Sadly, there is a bug in MSYS2 which prevents this from working, and I opened a PR to fix it: msys2/msys2-runtime#10

[dscho]

Closed via msys2/msys2-runtime#10 (and git-for-windows/msys2-runtime@385f792 and git-for-windows/MSYS2-packages@5a71d1a).

[dscho]

The next snapshot will have this fix.