Sysmon is a Windows service and driver which records process and file creations, registry modifications, attempts to change a file creation date, network connections and more. It's intended to help you identify malicious activity, but could also be helpful with general troubleshooting, or if you need to know some basic details on how a PC is being used.
To install Sysmon, launch it from an elevated command prompt. Use Sysmon -i to install it and log process creations only, or Sysmon -i -n to monitor network connections as well.
If everything has worked correctly, the Sysinternals EULA will be displayed. Agree to it, then reboot to run your first test.
Once Windows has started again, launch the Event Viewer (Eventvwr.msc), and browse to Applications and Services Logs\Microsoft\Windows\Sysmon\Operational.
You should now see multiple events listing Sysmon as a source, along with their date and time, giving you much more detail about what happened during your system boot.
Basic log management tasks can be carried out in Event Viewer, as usual. You're able to filter the log, display just the events you need, search for something important, disable logging when it's no longer needed, save the events to a file, and more: right-click Sysmon\Operational for the full list.
You can also change Sysmon to use its default configuration (no network connection logging) by running Sysmon -c -- , or uninstall it entirely with Sysmon -u . The service and driver are removed immediately, and there's no reboot required.
What's new in 10 (see Sysinternals blog for more)?
- Adds DNS query logging, reports OriginalFileName in process create and load image events, adds ImageName to named pipe events, logs pico process creates and terminates, and fixes several bugs.