SysMon logs everything Task Manager misses, and it’s now built into Windows 11 for free

SysMon logs everything Task Manager misses, and it’s now built into Windows 11 for free


Typically, when you want to know what’s running on your system, you’d use Task Manager to view all the running programs and services. It does its job well enough, and it can be good for spotting unwanted programs running on your PC, but what you might not realize is that there’s actually a lot that Task Manager doesn’t tell you or show you.

If you truly want to identify potential problems with what’s happening on your PC, there’s another Windows tool that can go way further: SysMon. And the best part is that it’s now built right into Windows 11.

The limitations of Task Manager

It works, but only to an extent

SysMon logs everything Task Manager misses, and it’s now built into Windows 11 for free

Task Manager is great for a lot of things, from monitoring system resource usage to managing your startup tasks. And of course, it’s the easiest way to see what’s running on your system at any given time, spot potentially dangerous software, and close apps you don’t want running. It’s great for that.

But that’s also where some of its limitations come into play. Task Manager only really works in real time, so if something suspicious happens on your PC and you want to see what’s going on, it only really helps if it’s a program that’s still running. If a process only briefly started and stopped, you may not be able to see it anymore.


Laptop screen showign Process Explorer and Task Manager side by side


I tested every major Windows Task Manager replacement, and this is the one that stuck

It really does work well.

Plus, Task Manager only shows you the name of a running process, which can be somewhat non-descriptive, and there’s a lot more that can go into a potential malware attack that Task Manager just doesn’t have access to. It’s not a bad tool, but it’s not designed to closely track potential malware and suspicious activity.

SysMon goes much further

Log everything

Screenshot of an event log created by SysMon

In comes SysMon, a tool that’s been owned by Microsoft since 2006, when it acquired the company behind SysInternals. SysMon, short for System Monitor, is a tool that can log nearly everything you could want to know about what’s running on your PC. It installs itself as a driver that launches in the early stages of your computer’s boot process, so it can even spot kernel-mode malware that launches during the boot process, and it doesn’t miss a beat.

SysMon logs every potentially important event that happens on your system: processes that start and end, drivers that are loaded by the system, attempts to read or write raw data to the disk, and more. It can even detect attempts by programs to modify the file creation time of files, a common technique malware uses to disguise changes made to your system. If you want, you can also enable the ability to log connections to the internet, which processes made them, IP addresses, port numbers, and more. It’s incredibly detailed and capable.

It’s not designed for real-time tracking, but it does log everything in real time. You can view its logs in the built-in Event Viewer on Windows 11, but you have to refresh manually if you want to see changes once they happen. By default, the Event Viewer displays static information, but it will tell you when there are new items that can be displayed.

You also get to see this data with an incredible amount of detail so you can potentially identify problems much more quickly. SysMon doesn’t try to identify suspicious activity itself, but it identifies the process name, the process GUID, it hashes process image files using SHA1 so you can easily identify recurring processes that may be running on your system on a regular basis, and more. All this detailed information can be viewed in Event Viewer and you can then use it to identify potential malware, or even Google some of this information to see if others are experiencing the same issues. If you’re working in IT or simply trying to ensure your computer is secure, this is an invaluable tool.

It’s part of Windows now

Just enable it

While Microsoft has owned SysMon for a long time, it still required a separate download until recently. Like most SysInternals tools, you can find it on the Microsoft Learn website. But Microsoft has been incorporating some very useful tools into Windows 11 recently, and earlier this year, the company announced that SysMon was going to be built into the operating system. You can’t just run it like any other program, but you can easily get started with making it usable.

All you need to do is make sure you’re running the latest Windows 11 updates, then open the Start menu and search for Turn Windows features on or off. Open that, and in the window that appears, you’ll see Sysmon listed as an option. Select it, click OK, and wait for it to be enabled. You don’t even need to restart.


a surface laptop on a table


Microsoft is quietly building Sysmon into Windows 11, and power users should be paying attention

The most useful security tool you’ve never heard of is now shipping with your OS.

Once it’s enabled, you then have to install the Sysmon driver. For that, you’ll need to open a Windows Terminal (or Command Prompt) and run sysmon -i. You can also configure Sysmon to log specific events like network connections, though that requires a bit more work. This will install the driver, and it will immediately begin logging events.

You can open Event Viewer and use the side panel to navigate to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational, which will load everything that has happened since Sysmon started running.

IT admins should enable Sysmon

If you’re responsible for security on a given PC, whether you’re an IT admin at a corporation or you just need to track down a potential piece of malware, Sysmon should be part of your arsenal. It’s always been a great tool, but now that it’s built directly into Windows, there should be no doubt about setting it up. It’s incredibly useful and powerful, and it’s great to see Microsoft acknowledge that by building it into the operating system.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *