SYSMON.exe (download)

System Monitor - monitor and log system activity to the Windows event log.

By monitoring process creation, network connections, and file changes with SysMon, you can identify malicious or anomalous activity on a network. SysMon should not be confused with Process Monitor, the graphical tool for analysing running processes.

   Install:    Sysmon.exe -i [-h [sha1|md5|sha256]] [-n] [-accepteula]
   Configure:  Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]
   Uninstall:  Sysmon.exe -u

   -c  Update configuration of an installed Sysmon driver or dump the current
       configuration if no other argument is provided.
   -h  Specify the hash algorithm used for image identification (default is SHA1).
   -i  Install service and driver.
   -m  Install the event manifest (done on service install as well).
   -accepteula  Automatically accept the EULA on installation.
   -n  Log network connections.
   -u  Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"
On older systems events write to the System event log.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it. Neither install nor uninstall require a reboot.

Event types generated by Sysmon:

Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection


Install with default settings (process images hashed with sha1 and no network monitoring):

sysmon –i -accepteula

Install with md5 hashing of process created and monitoring network connections:

sysmon –i -accepteula –h md5 –n


sysmon –u

Dump the current configuration:

sysmon –c

Change the configuration (when Sysmon is running) to be hash sha256 and no network monitoring:

sysmon –c –h sha256

Change the configuration to default settings:

sysmon –c --

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always” ~ Mahatma Gandhi

Related commands

SwiftOnSecurity/sysmon-config - A Sysmon config file with default high-quality event tracing.
LOGMAN - Manage Performance Monitor logs.
PsLogList - Event log records.
PsKill - Kill processes by name or process ID.
PsList - List detailed information about processes.
PowerShell: Get-WinEvent - Get event log data.

Copyright © 1999-2024
Some rights reserved