Saturday, September 13, 2014

New SysMon From Sysinternals

Since Microsoft purchased SysInternals, there has not been much activity out of them over the last few years.
A few weeks ago that changed and they released SysMon.
It is an interesting tool that I think primarily would be used for research and investigations of malware.
At the same time, you might find it useful for debugging, and monitoring process creation and network connections on a specific machine.
It is a service that runs in the background, and needs to be installed from the command line.
Once you download, you can install it like this:
sysmon.exe -i -n
The -n tells it to include network connectivity information.
Once the service is installed, it logs all process creation, and network connections to the event log:
It is under its own log...so it can be a little hard to find. When you open the event log it is under:
"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"
The log can build up fast, and it can impact system performance, so use it carefully.
Each entry will show you user, process, and time info:


More info about it from Sysinternals Site 

No comments: