Jet Mariano

Tag: Endpoint Monitoring

  • How to Install Sysmon on Windows 11 (Step-by-Step Guide)

    System Monitoring Made Simple for IT Admins & Security Pros

    Sysmon (System Monitor) is part of Microsoft’s Sysinternals Suite, and it gives you deep visibility into process creation, network connections, file changes, and system activity. For threat detection, forensics, and baselining, Sysmon is one of the most powerful free tools you can deploy.

    In this guide, I’ll walk through the step-by-step process of installing Sysmon cleanly on a Windows 11 machine, loading a hardened configuration, enabling the event log, and validating that everything is working.

    This is the exact method I used on my laptop — clean, repeatable, and production-ready.

    1. Prerequisites

    Before you start:

    • Log in as a user with Local Administrator rights.
    • Open PowerShell as Administrator.

    You’ll be using a mixture of PowerShell commands and Event Viewer, so make sure you have admin elevation.

    2. Download Sysinternals Suite

    Microsoft distributes Sysmon inside the Sysinternals Suite ZIP.

    1. Download Sysinternals Suite from Microsoft’s official site.
    2. Create a clean directory:
    New-Item -ItemType Directory -Path "C:\Sysinternals" -Force
    1. Extract the ZIP:
    Expand-Archive "$env:USERPROFILE\Downloads\SysinternalsSuite.zip" `
  -DestinationPath "C:\Sysinternals" -Force
    1. Verify Sysmon64.exe exists:
    Get-ChildItem "C:\Sysinternals" -Filter Sysmon64.exe -Recurse

    You should see something similar to:

    Sysmon64.exe   Length: 4563248

    If the file is non-zero in size, it’s valid.

    3. Prepare Your Sysmon Configuration File

    Sysmon must be installed with a configuration that tells it what to monitor.
    You can use:

    • A basic config
    • A hardened config
    • The community-recommended SwiftOnSecurity config

    Here’s how to set up a config folder:

    New-Item -ItemType Directory -Path "C:\Scripts\Sysmon" -Force

    Copy your Sysmon config into it:

    Copy-Item "$env:USERPROFILE\Downloads\sysmonconfig-export.xml" `
  "C:\Scripts\Sysmon\sysmonconfig.xml" -Force

    Verify it:

    Get-ChildItem "C:\Scripts\Sysmon"

    You should see:

    sysmonconfig.xml   Length: (non-zero)

    4. Install Sysmon with the Config

    Navigate to the Sysinternals directory:

    cd "C:\Sysinternals"

    If Sysmon was previously installed, uninstall it first:

    .\Sysmon64.exe -u force

    Then install it cleanly with your XML config:

    .\Sysmon64.exe -i C:\Scripts\Sysmon\sysmonconfig.xml

    Expected output:

    Sysmon64 installed.
SysmonDrv installed.
Sysmon64 started.

    Check service status:

    Get-Service Sysmon64

    You should see:

    Running  Sysmon64

    5. Register the Sysmon Event Manifest

    This step ensures the Sysmon event log is visible in Event Viewer.

    .\Sysmon64.exe -m

    Output:

    Event manifest/format registered successfully

    6. Enable the Sysmon Event Log

    Check if the Sysmon log exists:

    wevtutil el | Select-String "Sysmon"

    You should see:

    Microsoft-Windows-Sysmon/Operational

    Enable the log:

    wevtutil sl "Microsoft-Windows-Sysmon/Operational" /e:true

    7. Validate That Sysmon Is Working

    Method A: Quick PowerShell validation

    wevtutil qe Microsoft-Windows-Sysmon/Operational /c:5 /f:text

    If you see any events (Event ID 1, 5, etc.), Sysmon is working.

    Method B: Event Viewer

    Open Event Viewer:

    Applications and Services Logs
  → Microsoft
      → Windows
          → Sysmon
              → Operational

    You should start seeing:

    • Event ID 1 – Process Create
    • Event ID 5 – Process Terminate
    • Other IDs depending on your config

    Method C: Live test

    Run:

    Start-Process notepad.exe

    Then refresh Sysmon → Operational log.

    You should immediately see a new Event ID 1 logging Notepad’s process creation.

    If you see this event, Sysmon is fully operational.

    8. Optional: Create a Shortcut for Faster Access

    Desktop Shortcut

    1. Right-click Desktop → New → Shortcut
    2. Enter:
    eventvwr.msc /c:Microsoft-Windows-Sysmon/Operational
    1. Name it Sysmon Log

    Now you can open Sysmon in one click.

    Event Viewer Favorites

    Right-click Sysmon → OperationalAdd to Favorites.

    9. Updating the Sysmon Config Later

    If you want to modify or replace the config:

    cd C:\Sysinternals
.\Sysmon64.exe -c C:\Scripts\Sysmon\sysmonconfig.xml

    You should see:

    Configuration updated.

    No reinstall required.

    10. Uninstall Sysmon (if needed)

    cd C:\Sysinternals
.\Sysmon64.exe -u force

    This removes:

    • Sysmon64 service
    • SysmonDrv driver
    • Registry entries
    • Event manifest

    Conclusion

    Once installed, Sysmon becomes a powerful source of system telemetry for:

    • Threat hunting
    • Malware investigation
    • Lateral movement detection
    • Process monitoring
    • Incident response
    • Forensic analysis

    With a hardened config, Sysmon gives deep visibility with minimal overhead — making it an essential component of any Windows security stack.

    If you’re deploying Sysmon across multiple endpoints (like we do at work), you can automate it using Intune, GPO, or a custom PowerShell deployment package.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!