Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreihmzopi2cpee43gmrrcqmv2njb3fsw4ehykxbemonndt6xtwjef34",
    "uri": "at://did:plc:xj2drxwuk2r3tfelpnw2uqog/app.bsky.feed.post/3mntea2k33s32"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreibsucflcroe56lmlh22bqpqk4wufttx6ynv6bjvpwgc4z2rthxmr4"
    },
    "mimeType": "image/jpeg",
    "size": 228970
  },
  "path": "/article/3144711/meet-sysmon-the-hidden-windows-11-tool-that-reveals-what-task-manager-misses.html",
  "publishedAt": "2026-06-08T13:00:00.000Z",
  "site": "https://www.pcworld.com",
  "tags": [
    "Windows",
    "Microsoft integrated System Monitor, or Sysmon for short, into the operating system via an update.",
    "download",
    "Sysinternals suite",
    "webpage",
    "published",
    "here",
    "VirusTotal",
    "for free download",
    "Procmon",
    "Sysmon"
  ],
  "textContent": "In Windows, a great deal remains hidden beneath the surface. As soon as it starts up, the operating system launches several applications, initializes drivers, and checks for new software updates. Many of the programs that Windows loads automatically are then executed as processes in the RAM and run invisibly in the background.\n\nThe Task Manager, accessible by right-clicking the taskbar and selecting _Task Manager_ , displays a long list under _Processes_. However, this is by no means complete; for example, it does not include:\n\n  * Processes in kernel mode. These include, among others, the kernel threads, i.e. the tasks performed by the operating system’s kernel. The Task Manager groups these under the heading _System_.\n  * Device drivers and some services that are started via the registry.\n  * Browser tabs and extensions. It can happen that the Task Manager displays, for example, 20 instances of chrome.exe, but does not reveal which websites are loaded in the individual tabs. Nor does the Task Manager reveal the names of PowerShell scripts.\n  * Virus programs running in the background that have disguised themselves using various techniques.\n\n\n\nFor a complete list of running processes, you will therefore need to use other tools. Early in 2026, Microsoft integrated System Monitor, or Sysmon for short, into the operating system via an update.\n\nPreviously, it was available from Microsoft as a standalone download and as part of the Sysinternals suite. Once installed, the program runs invisibly as a service in the background and logs its messages in the Windows Event Log.\n\n## Identifying suspicious processes\n\nThe developer of the Sysinternals suite, Mark Russinovich, has listed what makes a process suspicious:\n\n  * There are no icons, descriptions, or company names in the details.\n  * The process is running from a Windows directory or a user profile.\n  * It was started with an incorrect parent process.\n  * The process name is misspelled.\n  * The process consists of unsigned executable files.\n  * The process’s executable files are packed.\n  * The process hosts suspicious DLLs or services.\n  * It has open TCP/IP endpoints.\n  * Its executable file contains unusual URLs or character strings.\n\n\n\n## Install and start Sysmon\n\nTo install Sysmon, type **system** into the search box on the taskbar and click on the _Control Panel_ result. In the icon view, click on _Programs >_ _Programs and Features_ — or in the category view, click on _Uninstall a program_ — and in the window that opens, go to _Turn Windows features on or off_ on the left-hand side.\n\nScroll down, tick the box next to _Sysmon_ and confirm by clicking _OK_. Windows will now copy the Sysmon files to your computer. Then click _Close_ and restart your PC.\n\nFollowing a Windows update in the spring, Sysmon can now be set up directly via the “Programs and Features” list in the Control Panel.\n\nRoland Freist\n\nIn a second step, Sysmon is now set up and activated. To do this, launch the Command Prompt by typing the command **cmd** into the search box on the taskbar. This opens the Start menu with the entry _Command Prompt_. Click on this on the right-hand side of the window, select _Run as administrator_ and confirm the security prompt.\n\nBy default, the Command Prompt displays the folder C:\\Windows\\System32. The file sysmon.exe is also located in this folder. You can therefore simply enter the command **sysmon.exe -i** and press the Enter key.\n\nThe System Monitor is finally started by entering the command sysmon.exe -i in the Command Prompt.\n\nRoland Freist\n\nSeveral system messages will then appear. At the very bottom, you will see _Sysmon started_. This completes the installation; Sysmon is now running as a service in the background. You can uninstall the tool later using the command **sysmon.exe -u**.\n\nYou can check the installation by typing **services** into the search box on the taskbar, scrolling down the list and double-clicking the new entry _Sysmon_. The _Startup type_ should be set to _Automatic_ , and _Running_ should be displayed next to _Service type_.\n\nSysmon runs as a service in Windows. A glance at the list of services in the Control Panel will show whether the program has started.\n\nRoland Freist\n\n## Viewing Sysmon messages\n\nSysmon does not have its own user interface. Instead, the service sends logged events — such as the start and end of programs, as well as notifications about drivers being loaded — to the Event Viewer.\n\nYou can open this tool by typing **event** into the search box on the taskbar and clicking on the _Event Viewer_ result.\n\nIn the Event Viewer window, click on the small arrow to the left of _Application and Service Logs_. It may take a moment for the subfolders to appear. Follow the path _Microsoft > Windows > Sysmon > Operational_. In the middle pane, you will now see the events that Sysmon has logged.\n\nSysmon does not have its own user interface, but communicates with the user exclusively via Event Viewer. The section in the middle is important.\n\nRoland Freist\n\nPlease don’t be alarmed, as there can quickly be several thousand entries there. However, this is normal and no cause for concern. Sysmon works very meticulously and records absolutely all program and driver activities on your computer.\n\nAfter double-clicking on an event logged by Sysmon, you will see the name of the associated EXE file and which program it is.\n\nRoland Freist\n\nDouble-click on some of the entries to open them. You will quickly see that most of them are uninteresting. You can identify which application triggered the event by the path next to _Image_.\n\nSysmon stores the logged events in a separate file. You can find this in the folder C:\\Windows\\System32\\winevt\\Logs under the name _Microsoft-Windows-Sysmon%4Operational.evtx_.\n\nBy default, Event Viewer allows logs up to a size of 65,536 KB, which corresponds to 64MB. Once this limit is reached, Event Viewer overwrites the oldest events. This can happen after just a few days.\n\nBy default, the Sysmon log can grow to a maximum of 64MB. For better logging, you should increase this value to 256MB or more.\n\nRoland Freist\n\nIt is therefore advisable to increase the maximum log size — for example, to 256MB. To do this, right-click on the _Operational_ folder in Event Viewer and select _Properties_. In the _Logging_ section, you can change the maximum size accordingly.\n\n## Analyzing the Sysmon logs\n\nIf you select an event in the Event Viewer at the top of the middle pane, important explanations appear below it. The third line shows the date and time and when the event occurred.\n\nIn the _Image_ line, you will see the full path including the file name, and below that the respective file version. The following four entries contain the description, the product name, the manufacturer and the original file name.\n\nSysmon is a powerful tool for searching for malware that has embedded itself in the system and remains permanently active there. To analyze the data, scroll through the event list using the arrow keys, paying close attention to any events triggered by unknown or suspicious-looking applications. Also take a close look at any driver changes.\n\n## Narrowing down Sysmon events\n\nYou will quickly realize that searching for suspicious events is a tedious task. Most event messages originate from non-suspicious applications such as your browser or Microsoft Edge Webview2.\n\nThis is used to display web content in Windows programs such as Teams or Outlook. To filter such irrelevant events out of the list, you can load a configuration file in XML format into Sysmon.\n\nBuilding such a file from scratch is not easy. Microsoft has therefore published a simple basic version of such a configuration file on its website. This initially filters out all events relating to drivers with a signature other than Microsoft or Windows.\n\nIt also filters out all events relating to the termination of processes and to network connections via ports 80 and 443. The classic web protocols HTTP and HTTPS run over these ports.\n\nTo download the configuration file, open this webpage, scroll down to the _Configuration files_ section and click the _Copy_ button on the right.\n\nPaste the text into the Windows Notepad, go to _File > Save As_, set the file type to _All Files (*.*)_ , change the file extension from .txt to .xml, and save the file under a name of your choice, such as _config_sysmon.xml_ , in any folder.\n\nMicrosoft has published an example of a Sysmon configuration file on its website. This can be customized by any user as required.\n\nRoland Freist\n\nThe Microsoft employee who created this file is Moti Bani. He has also published an extended version on GitHub with the filename _config-v17.xml_.\n\nClick on the file name on the website and, in the window that opens, click the download icon in the toolbar with the tooltip _Download raw file_. The file will then be saved to your Downloads folder.\n\nMoti Bani regards both files as templates that users can customize according to their own ideas and needs. Guidance on this is available on the Sysmon download page mentioned above or here.\n\n## Loading a Sysmon configuration\n\nTo load an XML configuration file with Sysmon, you will again need the Command Prompt with administrator rights. Type the command **sysmon.exe -i [path to XML file]** there. For example, if the file is called _config_sysmon.xml_ and is located in the C:\\Temp folder, the command is **sysmon.exe -i C:\\Temp\\config_sysmon.xml**.\n\nIf you want to switch to a different configuration file, such as config-v17.xml, enter **sysmon.exe -i C:\\Temp\\config-v17.xml** — provided, of course, that this file is also located in the C:\\Temp folder. If you wish to reset Sysmon to its default state and delete all configurations, use the command **sysmon -c —**.\n\n## What to do after the analysis?\n\nIf a running process or loaded driver seems suspicious, your first step should be to launch your antivirus tool’s virus scanner and run a full scan.\n\nEven if this takes several hours. In addition, you can upload the file specified in the event log to VirusTotal and have it analyzed there.\n\nOf course, you can also simply use Sysmon to take some of the load off your computer. Consider which of the loaded processes or programs you can do without.\n\nThen navigate to the specified path and, as a precaution, simply rename the file for the time being. Restart your computer and see what happens. If no issues arise, you can uninstall the program permanently.\n\n## Process Monitor versus System Monitor\n\nThere are various tools available for listing all running processes in full. In addition to Sysmon, these include Process Monitor, or Procmon for short. This too comes from Mark Russinovich or his company Sysinternals.\n\nMicrosoft hired Russinovich as Chief Technology Officer some time ago and offers the Sysinternals tools for free download.\n\nThe main difference between Sysmon and Procmon is that Procmon provides a snapshot of all currently running processes. Sysmon, on the other hand, runs continuously in the background and logs the start and end of Windows processes.\n\nProcmon is available to download. Sysmon can also be downloaded from Microsoft — as an alternative to installing it via Windows 11.\n\nProcess Monitor also provides an overview of the loaded services. Unlike Sysmon, however, it only shows a snapshot.\n\nRoland Freist",
  "title": "Meet the hidden Windows 11 tool that reveals what Task Manager misses"
}