How To Use Sysinternals Sysmon on Windows

Windows 11 » Explainers
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
Explainers
Reading time icon 4 min. read
Calendar icon EEST
XINSTALL BY CLICKING THE DOWNLOAD FILE
A message from our partner

Fix Windows 11 OS errors with Fortect:

  • Download Fortect and install it on your PC
  • Launch the tool and Start scanning to find broken files that are causing the problems
  • Right-click on Start Repair to fix issues affecting your computer’s security and performance
Download Now Fortect has been downloaded by 0 readers this month, rated 4.6 on TrustPilot

Sysinternals Sysmon improves threat detection on Windows by capturing detailed system activity that standard logs never record. This guide explains what Sysmon does, why it matters, and how you can install and configure it correctly.

Table of contents

What is Sysinternals Sysmon And How to Use it?

What Is Sysinternals Sysmon?

Sysmon (System Monitor) tracks processes, network connections, registry changes, and driver loading inside Windows. It runs as a system service and sends events to Applications and Services Logs > Microsoft > Windows > Sysmon.

If you want to explore more Sysinternals tools, see this guide on Sysinternals tools on Windows.

Why Sysmon Matters

Sysmon strengthens visibility by exposing suspicious activity that regular logs miss. Security teams rely on its detailed events to track malware behavior and build detection rules.

Autoruns can complement your Sysmon monitoring by helping you inspect all programs that start automatically in Windows, and you can learn how it works by reading the Autoruns Sysinternals guide for better control over persistence and unwanted startup activity.

How To Install Sysmon

You can install Sysmon in minutes and start capturing events instantly. If you want to compare Sysmon with Process Explorer for deeper process investigation on modern systems, check this Process Explorer for Windows 11 guide.

Download The Sysmon Package

Follow these steps to download the Sysmon package.

  1. Open the Sysinternals site.
  2. Download the Sysmon ZIP package.
  3. Extract the ZIP to a folder.

Install Sysmon With A Basic Configuration

Use these steps when you want a quick default installation.

  1. Open Command Prompt as Administrator.
  2. Go to the extracted folder.
  3. Run: sysmon -accepteula -i
  4. Confirm that Sysmon starts as a service.

Install Sysmon With A Custom Configuration

Follow these steps when you want a tuned configuration that reduces noise.

  1. Download a tuned community Sysmon config such as SwiftOnSecurity’s XML.
  2. Open Command Prompt as Administrator.
  3. Run: sysmon -accepteula -i sysmonconfig.xml
  4. Restart the Sysmon service if needed.

Key Sysmon Event Types To Monitor

Sysmon tracks many behaviors, but these events give you the most useful security insights.

  • Process Creation (Event ID 1)
    Logs every new process with command lines and hashes. You can spot malicious scripts and suspicious parent child chains with this data.
  • File Creation Time Changes (Event ID 2)
    Captures tampering with timestamps. Attackers often modify timestamps to hide activity.
  • Network Connections (Event ID 3)
    Tracks inbound and outbound connections, including IPs and ports. You can use this to flag unauthorized remote access.
  • Driver Loading (Event ID 6)
    Notes each loaded driver and highlights unsigned or suspicious kernel modules.
  • Registry Events (Event IDs 12, 13, 14)
    Logs registry key creation, modification, and deletion. This helps you catch persistence attempts.

How To Update Your Sysmon Configuration

You can improve Sysmon output by updating its configuration file when your detection needs change.

Replace The Config File

Use these steps when you want to load a new Sysmon XML configuration.

  1. Copy the new sysmonconfig.xml to your Sysmon directory.
  2. Open Command Prompt as Administrator.
  3. Run: sysmon -c sysmonconfig.xml
  4. Check Event Viewer to confirm the update.

Validate The Configuration

Follow these steps before deployment so you avoid broken or noisy rules.

  1. Open the XML file in a text editor.
  2. Check for correct XML structure.
  3. Confirm that the rules support your environment.

How To Uninstall Sysmon

You can remove Sysmon cleanly with a single command when you no longer need it.

Remove The Service

Follow these steps to uninstall Sysmon from Windows.

  1. Open Command Prompt as Administrator.
  2. Run: sysmon -u
  3. Delete leftover files manually.

FAQs

What does Sysmon log by default?

Sysmon records process creation, driver loading, network activity, and timestamp changes.

Does Sysmon slow down a PC?

Sysmon uses low system resources. A heavy config may add overhead on busy systems.

Does Sysmon replace antivirus?

No. Sysmon provides visibility while security tools handle prevention, blocking, and removal.

How often should I update my Sysmon config?

Update the config when detection requirements change or when new community rule sets improve accuracy.

Sysinternals Sysmon strengthens your Windows security posture by exposing activity that attackers try to hide. You can tune its configuration to reduce noise and highlight only high value events. For another powerful analysis companion on older setups, review Process Explorer for Windows 10 guide.

More about the topics: Monitoring Software

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages