SYSMON.exe – Windows CMD Command

System Monitor – monitor and log system activity to the Windows event log.

By monitoring process creation, network connections, and file changes with SysMon, you can identify malicious or anomalous activity on a network. SysMon should not be confused with Process Monitor, the graphical tool for analysing running processes.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational”
On older systems events write to the System event log.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it. Neither install nor uninstall require a reboot.

Event types generated by Sysmon:


Install with default settings (process images hashed with sha1 and no network monitoring):

sysmon –i -accepteula

Install with md5 hashing of process created and monitoring network connections:

sysmon –i -accepteula –h md5 –n


sysmon –u

Dump the current configuration:

sysmon –c

Change the configuration (when Sysmon is running) to be hash sha256 and no network monitoring:

sysmon –c –h sha256

Change the configuration to default settings:

sysmon –c --

You may also like...

2 Responses

  1. zortilo nrel says:

    very good publish, i definitely love this web site, keep on it

  2. froleprotrem says:

    My brother suggested I might like this blog. He was entirely right. This post actually made my day. You cann’t imagine just how much time I had spent for this information! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *