Windows Server

Sysmon from SysInternal: What is System Monitor and how to install and use it

Relating to Information technology, a system monitor is a component used to monitor system resources and performance in a computer system. Sysmon is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. In this article, we shall discuss “Sysmon from SysInternal: What is System Monitor and how to install and use it”. Please see Viewing Scheduled Events on AW using the Command Line (CLI), and Sysinternals: Installing from the Microsoft Store Guide.

Sysmon provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them. Kindly refer to these related guides: How to detect registry keys: Process Monitor using Sysinternals Tools, how to use the PsInfo utility, and how to enable Automatic Logon on Windows 10.

In this way, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. 

Capabilities of the Sysmon tool

Below are some capabilities of the Sysmon tool

1: Logs process creation with full command line for both current and parent processes.
2: Records the hash of process image files using SHA1 (the default), MD5, SHA256, or IMPHASH.
3: Multiple hashes can be used at the same time.
4: Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
5: Include a session GUID in each event to allow correlation of events on the same logon session.
6: Logs loading of drivers or DLLs with their signatures and hashes.
7: Logs opens for raw read access of disks and volumes.

It optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.

8: Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
9: Automatically reload configuration if changed in the registry.
10: Rule filtering to include or exclude certain events dynamically, and
11: Generates events from early in the boot process to.

How to download Sysmon

Download Sysmon from the following link. Extract the zipped file as shown below

For other SysInternal tools I have written about, see the following links

Install and uninstall Sysmon via the command line

To install and uninstall Sysmon, use the command-line options below. This command can be used to check and modify Sysmon’s configuration as well.

Command usage information as shown below.

Install: sysmon64 -i [<configfile>]
Update configuration: sysmon64 -c [<configfile>]
Install event manifest: sysmon64 -m
Print schema: sysmon64 -s
Uninstall: sysmon64 -u [force]

Below is a brief information about the parameters used and its description.

-i: Is used to install service and driver. Optionally take a configuration file.
- c: Is the Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
- m: Install the event manifest (done on service install as well).
- s: Print configuration schema definition.
- u: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.: Uninstall service and driver. Adding force causes uninstall to proceed even when some components are not installed.

Install Sysmon

This method installs Sysmon with the default settings. This will process images hashes with sha1 with no network monitoring. Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

sysmon -accepteula  –i

Note: You can install Sysmon with a configuration file without using the above method as shown below.
– In this case, you have to have a configuration file created already. Below is the command to achieve this.

sysmon –accepteula –i c:\windows\config.xml

Uninstall Sysmon

To uninstall Sysmon. the the following

sysmon –u

For other command usage, see the following commandss and parameters below.

#Dump the current configuration
sysmon –c

#Change the configuration of sysmon with a configuration file (as described below)
sysmon –c c:\windows\config.xml

#Change the configuration to default settings
sysmon –c --

#Show the configuration schema:
sysmon -s

Please see How to detect if an application was uninstalled on Windows: Find out who has uninstalled an application via Windows Event Viewer, and

View Sysmon Logs

To view the log launch the Windows Event Viewer. This can be launched from the command prompt on the fly by entering the command as shown “eventvwr“.

For various methods to launch the Windows Event viewer, and Failure Reasons for Windows Event Viewer, see the following link.

Note: In order to have the Sysmon event appear on the Windows Event console, you will need to create a custom view. For more details, see the following link. When this is done, you can now view Sysmon events (logs) as shown below.

I hope you found this blog post helpful on Sysmon from SysInternal: What is System Monitor and how to install and use it. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x