System Monitor (Sysmon) is a Windows Sysinternals new utility, once installed, acting as a Windows system service and device drive to monitor and log system activity to the Windows Event Log. It provides detailed information about process creations, network connections, and changes to file creation time.
To install Sysmon with network log enabled, type the following command in Command Prompt that runs as Administrator.
sysmon -i -accepteula -n
The switch -accepteula is just to bypass the EULA agreement screen. You can change the default hash method SHA1 to MD5 or SHA256. Note that in order to make any change to a installed Sysmon, you will need to uninstall the service first and reinstall it with the proper switch.
To uninstall Sysmon service from you computer, simply use:
Once the Sysmon is installed, you can find it from Services manager.
Then, you will see a stream of event logs from Event viewer after a moment. You can locate them at Applications and Services Logs → Microsoft → Windows → Sysmon in Windows Event Viewer.
Through these event logs Sysmon collected, you can use Windows Event Collection to further analysis them. If lucky enough, you can identify malicious activities and understand how intruders and malware operate on your network.
Sysmon runs fine on almost all Windows, both 32-bit and 64-bit editions. It’s a great event collecting tool that helps you to troubleshoot on problematic machines to identify the problem. Since it can easily generate tons of log files on your computer, it might be a better idea running it when needed.