Sysmon 5 is the latest version of the popular monitoring program for Windows that writes activities to the Windows Event log.
Sysmon, which stands for System Monitor, is a background monitor. This means that it will do its work once installed without user interaction or graphical user interface.
In fact, all you have to do to install it is to run a short command from the command line to install the monitoring service.
This is done by tapping on the Windows-key, typing cmd.exe, holding down the Shift-key and Ctrl-key before hitting the Enter-key, and typing sysmon -accepteula –i in the Sysmon program directory.
Tip: to uninstall Sysmon again, run the operation again but this time with the command sysmon -u.
The program logs directly to the Windows Event log which means that you need to open it using the native viewer or a third-party program such as Event Log Explorer to access the data.
All events that Sysmon 5 tracks are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational in the Event log.
The following events are tracked by the application:
Filtering is supported which means that you can use Event Filtering to filter for specific events you are interested in.
The new Sysmon 5 introduces new monitoring options that log file create and Registry modification events.
This major update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, introduces file create and registry modification logging. These event types make it possible to configure filters that capture updates to critical system configuration as well as changes to autostart entry points used by malware.
Sysmon 5 improves an already great program further by introducing Registry modification and file create events to the logging capabilities. Since nothing else has changed, it is a no brainer to upgrade the existing copy of the program to the latest version to benefit from the additional event logging options.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
As a bit of a tangent side-note: Unfortunately Microsoft is going to be soon removing cmd.exe functionality from future windows. :(
Instead it will bring up a powershell window. Powershell certainly is great, and has it’s many uses, but it should NOT be the new command terminal window for MS-Windows.
CMD.exe has been there for decades now, for quick commands, and functions such as you describe in this article, when accessing non-gui applications such as Sysmon.
There’s just no way that simplicity and ease of command line use will continue with Powershell.
So… I’m pretty depressed Microsoft is doing this to us. And I can’t understand why they just can’t leave CMD.exe alone… and provide an alternate power-shell quick load as well, that is separate.
Or at least integrate the two: allow us to enter short/quick commands, in addition to more elaborate convoluted powershell commands.
You can change it back to cmd.exe in the settings.
Is there a hidden option to configure the logging of new file creations (Event 11)? I installed Sysmon 5 and created a new text file as a test. I looked at the logs but found no Event 11. I performed this test multiple times but still see nothing logged.