Sysmon 11.0 is out with file delete monitoring

Martin Brinkmann
Apr 29, 2020
Updated • Apr 29, 2020
Software, Windows

Microsoft released a new version of Sysinternals Sysmon (System Monitoring) program for Microsoft Windows devices this week. Sysmon 11.0 is a major update of the application; users may download the latest version of the program from the official Sysinternals website or launch the new version of the tool directly using Sysinternals Live.

Sysmon is a specialized system monitor tool for Windows 7 and up that installs as a system service and device driver. The application monitors events on the system commonly used by attackers, e.g. by malware attacks, and logs these to the Windows event log.

The program monitors important activity such as the creation of processes and their termination, network connections, the loading of drivers, the creation of files, or Registry Events when it is active.

Sysmon 11.0 adds a new event to the list of monitored activity on Windows devices. Event 23, FileDelete, monitors all file removal activity on the Windows machine; this gives administrators options to see all files that were deleted on a system while Sysmon was active.

One of the reasons for adding file delete monitoring came from Microsoft's own experience. The company noted that attackers who successfully got into company machines would drop tools on the machine, use these, and delete these when they were done. The new file delete monitoring provides analysts with information about the tools that the attacker used on the system. Naturally, file deletion activity covers other types of deletions as well when it is used.

Here is a video by Mark Russinovich that offers additional details on the update:

Installation of Sysmon is straightforward. All that needs to be done is to download the latest archive version of the program and extract it on the target system. You may check the configuration using sysmon -s using the command prompt, and install the monitoring service using sysmon -accepteula -i; this uses the default configuration. To uninstall sysmon, run sysmon -u from the command line.

Advanced users can use configuration files to customize the monitoring, e.g. to ignore certain activity on the system. The new version of Sysmon comes with a flag to disable reverse DNS lookups to avoid DNS servers being overloaded by requests from the tool.

Now You: do you use Sysinternals tools?

Sysmon 11.0 is out with file delete monitoring
Article Name
Sysmon 11.0 is out with file delete monitoring
Sysmon 11.0 is a new version of the specialized system monitoring tool for windows; the new version supports the logging of file delete events among other things.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Doug Baker said on August 4, 2020 at 4:43 am

    Have you any clue as to the ‘CopyOnDelete…’ configurations options in V11.xx syntax?

  2. Crock_65_xperien said on May 1, 2020 at 9:50 pm

    Martin, where can I find that mysterious overwrite.exe program, mentioned by Mark Russinovich in tutorial?
    I tried to find it with Google and it returned nothing.

  3. jan said on April 30, 2020 at 2:05 pm

    Now You: do you use Sysinternals tools?
    No. I use Nirsoft tools; more userfriendly.

  4. Drabardi said on April 30, 2020 at 4:08 am

    do you use Sysinternals tools?

    I do Linux so never found viruses on the computers.

    Does Sysinternils tool works on Linux?

    1. Martin P. said on April 30, 2020 at 3:35 pm

      Pfff… Another irrelevant Linux rant. Getting sooo old….

  5. THEY LIVE! We self-quarantine said on April 30, 2020 at 1:03 am

    > Sysmon 11.0 for Windows is out with file delete monitoring


    Maybe Mark Russinovich would do well to restart development on ROOTKIT REVEALER which is very old, but still included in the SysInternalsSuite.

    Allegedly, it appears development ceased once MS slurped up his work.

    Previously, ROOTKIT REVEALER was the first program to discover the Sony BMG Rootkit, at a time when NONE of the anti-virus programs would detect it.

  6. Trey said on April 30, 2020 at 12:06 am

    What a great video to go along with the update. Nothing like hearing the details straight from Mark Russinovich.

  7. chesscanoe said on April 29, 2020 at 10:08 pm

    Using Sysmon64 was a memory DOS test from over 30 years ago for me, but version 11 did work well for me when I tested it under Microsoft Windows [Version 10.0.18363.815]. I probably will not have a need for it in the future, but it is good to know the function is there if needed.

  8. Yuliya said on April 29, 2020 at 6:16 pm

    Process Explorer 16.32 is also available, which olny fixes a graphical glitch over 16.31.

    1. chesscanoe said on April 29, 2020 at 10:32 pm
      Reply shows other 2020-04-28 updates as well.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.