Microsoft released the new Sysinternals tools, Sysmon, which allows you to monitor Windows process creations, file creation time changes, and network connections in the Windows Event Log.
Latest posts by Michael Pietroforte (see all)

The main purpose of the free tool is to analyze a machine with suspicious behavior. Sysmon appears to be a command-line utility; however, sysmon.exe is just the installer for the Sysmon service. To install Sysmon, you just launch the command with the parameter -i:

sysmon -i

Sysmon installation

Sysmon installation

This will configure Sysmon to only log the creation of Windows processes and changes in file creation times. If you also want to monitor network connections, you have to add the parameter -n:

sysmon -i -n

You can also enable the networking monitoring feature at a later time:

sysmon -c -n

With sysmon -c, you can view the configuration of the service:

Sysmon configuration

Sysmon configuration

Once the Sysmon service is running, you can find its Event Log entries in the Windows Event Viewer at Applications and Services Logs > Microsoft > Windows > Sysmon > Operational. Event ID 1 stands for process creations, event ID 2 indicates file creation time changes, and event ID 3 indicates network connections.

Windows processes are created whenever you launch an application. Thus, you will see quite a few of such entries in the Event Log.

Process creation event

Process creation event

As you can see in the screenshot, you get detailed information about the process.

Malware and hackers sometimes change the creation time of files to cover their activities. If you want to try this Sysmon feature, you can change the creation time of a file (named test.txt in the example) with this PowerShell command:

(Get-Item test.txt).CreationTime = "Saturday, August 9, 2014 6:51:04 AM"

Changed file creation time

Changed file creation time

Note that the creation time in the Event Log uses UTC time even if your computer is in another time zone.

The network connection log entries give you detailed information about the program that established the connection and the protocol it used.

Network connection detected

Network connection detected

You can uninstall the Sysmon service with the -u parameter:

sysmon -u

Sysmon uninstall

Sysmon uninstall

Sysmon

0
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account