Sysmon is a Windows service and driver which records process creations, attempts to change a file creation date, and, optionally, network connections. It's intended to help you identify malicious activity, but could also be helpful with general troubleshooting, or if you need to know some basic details on how a PC is being used.
To install Sysmon, launch it from an elevated command prompt. Use Sysmon -i to install it and log process creations only, or Sysmon -i -n to monitor network connections as well.
If everything has worked correctly, the Sysinternals EULA will be displayed. Agree to it, then reboot to run your first test.
Once Windows has started again, launch the Event Viewer (Eventvwr.msc), and browse to the Windows System log on XP, Applications and Services Logs\Microsoft\Windows\Sysmon\Operational for Vista and later.
You should now see multiple events listing Sysmon as a source, along with their date and time, giving you much more detail about what happened during your system boot.
Events with an ID of 1 list a process creation, including the time of launch, Process ID and GUID, file name, command line, user, hash, the parent process and more.
Events with an ID of 2 highlight an attempt to change a file creation date. The report lists the responsible process, the file it's trying to change, the previous and new dates.
Events with an ID of 3 record network connections, again listing the source process (ID/ GUID/ file name/ user), source and destination IP addresses, host names, ports and port names. (For some reason the host names weren't resolved in our first test, but this worked properly after we rebooted.)
Basic log management tasks can be carried out in Event Viewer, as usual. You're able to filter the log, display just the events you need, search for something important, disable logging when it's no longer needed, save the events to a file, and more: right-click Sysmon\Operational for the full list.
You can also change Sysmon to use its default configuration (no network connection logging) by running Sysmon -c -- , or uninstall it entirely with Sysmon -u . The service and driver are removed immediately, and there's no reboot required.
What's new in 4.12?
- Introduces more powerful filtering capabilities
- Now reports the status of CRL checking
- Fixes a bug where certain configuration files could cause the driver to blue screen.