SYSMON.exe – Windows CMD Command
System Monitor – monitor and log system activity to the Windows event log.
By monitoring process creation, network connections, and file changes with SysMon, you can identify malicious or anomalous activity on a network. SysMon should not be confused with Process Monitor, the graphical tool for analysing running processes.
Install: Sysmon.exe -i [-h [sha1|md5|sha256]] [-n] [-accepteula]
Configure: Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]
Uninstall: Sysmon.exe -u
-c Update configuration of an installed Sysmon driver or dump the current
configuration if no other argument is provided.
-h Specify the hash algorithm used for image identification (default is SHA1).
-i Install service and driver.
-m Install the event manifest (done on service install as well).
-accepteula Automatically accept the EULA on installation.
-n Log network connections.
-u Uninstall service and driver.
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational”
On older systems events write to the System event log.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it. Neither install nor uninstall require a reboot.
Event types generated by Sysmon:
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Install with default settings (process images hashed with sha1 and no network monitoring):
sysmon –i -accepteula
Install with md5 hashing of process created and monitoring network connections:
sysmon –i -accepteula –h md5 –n
Dump the current configuration:
Change the configuration (when Sysmon is running) to be hash sha256 and no network monitoring:
sysmon –c –h sha256
Change the configuration to default settings:
sysmon –c --