PCWorld
In Windows, a great deal remains hidden beneath the surface. As soon as it starts up, the operating system launches several applications, initializes drivers, and checks for new software updates. Many of the programs that Windows loads automatically are then executed as processes in the RAM and run invisibly in the background. The Task Manager, accessible by right-clicking the taskbar and selecting Task Manager , displays a long list under Processes . However, this is by no means complete; for example, it does not include: Processes in kernel mode. These include, among others, the kernel threads, i.e. the tasks performed by the operating system’s kernel. The Task Manager groups these under the heading System . Device drivers and some services that are started via the registry. Browser tabs and extensions. It can happen that the Task Manager displays, for example, 20 instances of chrome.exe, but does not reveal which websites are loaded in the individual tabs. Nor does the Task Manager reveal the names of PowerShell scripts. Virus programs running in the background that have disguised themselves using various techniques. For a complete list of running processes, you will therefore need to use other tools. Early in 2026, Microsoft integrated System Monitor, or Sysmon for short, into the operating system via an update. Previously, it was available from Microsoft as a standalone download and as part of the Sysinternals suite . Once installed, the program runs invisibly as a service in the background and logs its messages in the Windows Event Log. Identifying suspicious processes The developer of the Sysinternals suite, Mark Russinovich, has listed what makes a process suspicious: There are no icons, descriptions, or company names in the details. The process is running from a Windows directory or a user profile. It was started with an incorrect parent process. The process name is misspelled. The process consists of unsigned executable files. The process’s executable files are packed. The process hosts suspicious DLLs or services. It has open TCP/IP endpoints. Its executable file contains unusual URLs or character strings. Install and start Sysmon To install Sysmon, type system into the search box on the taskbar and click on the Control Panel result. In the icon view, click on Programs > Programs and Features — or in the category view, click on Uninstall a program — and in the window that opens, go to Turn Windows features on or off on the left-hand side. Scroll down, tick the box next to Sysmon and confirm by clicking OK . Windows will now copy the Sysmon files to your computer. Then click Close and restart your PC. Following a Windows update in the spring, Sysmon can now be set up directly via the “Programs and Features” list in the Control Panel. Roland Freist In a second step, Sysmon is now set up and activated. To do this, launch the Command Prompt by typing the command cmd into the search box on the taskbar. This opens the Start menu with the entry Command Prompt . Click on this on the right-hand side of the window, select Run as administrator and confirm the security prompt. By default, the Command Prompt displays the folder C:\Windows\System32. The file sysmon.exe is also located in this folder. You can therefore simply enter the command sysmon.exe -i and press the Enter key. The System Monitor is finally started by entering the command sysmon.exe -i in the Command Prompt. Roland Freist Several system messages will then appear. At the very bottom, you will see Sysmon started . This completes the installation; Sysmon is now running as a service in the background. You can uninstall the tool later using the command sysmon.exe -u . You can check the installation by typing services into the search box on the taskbar, scrolling down the list and double-clicking the new entry Sysmon . The Startup type should be set to Automatic , and Running should be displayed next to Service type . Sysmon runs as a service in Windows. A glance at the list of services in the Control Panel will show whether the program has started. Roland Freist Viewing Sysmon messages Sysmon does not have its own user interface. Instead, the service sends logged events — such as the start and end of programs, as well as notifications about drivers being loaded — to the Event Viewer. You can open this tool by typing event into the search box on the taskbar and clicking on the Event Viewer result. In the Event Viewer window, click on the small arrow to the left of Application and Service Logs . It may take a moment for the subfolders to appear. Follow the path Microsoft > Windows > Sysmon > Operational . In the middle pane, you will now see the events that Sysmon has logged. Sysmon does not have its own user interface, but communicates with the user exclusively via Event Viewer. The section in the middle is important. Roland Freist Please don’t be alarmed, as there can quickly be several thousand entries there. However, this is normal and no cause for concern. Sysmon works very meticulously and records absolutely all program and driver activities on your computer. After double-clicking on an event logged by Sysmon, you will see the name of the associated EXE file and which program it is. Roland Freist Double-click on some of the entries to open them. You will quickly see that most of them are uninteresting. You can identify which application triggered the event by the path next to Image . Sysmon stores the logged events in a separate file. You can find this in the folder C:\Windows\System32\winevt\Logs under the name Microsoft-Windows-Sysmon%4Operational.evtx . By default, Event Viewer allows logs up to a size of 65,536 KB, which corresponds to 64MB. Once this limit is reached, Event Viewer overwrites the oldest events. This can happen after just a few days. By default, the Sysmon log can grow to a maximum of 64MB. For better logging, you should increase this value to 256MB or more. Roland Freist It is therefore advisable to increase the maximum log size — for example, to 256MB. To do this, right-click on the Operational folder in Event Viewer and select Properties . In the Logging section, you can change the maximum size accordingly. Analyzing the Sysmon logs If you select an event in the Event Viewer at the top of the middle pane, important explanations appear below it. The third line shows the date and time and when the event occurred. In the Image line, you will see the full path including the file name, and below that the respective file version. The following four entries contain the description, the product name, the manufacturer and the original file name. Sysmon is a powerful tool for searching for malware that has embedded itself in the system and remains permanently active there. To analyze the data, scroll through the event list using the arrow keys, paying close attention to any events triggered by unknown or suspicious-looking applications. Also take a close look at any driver changes. Narrowing down Sysmon events You will quickly realize that searching for suspicious events is a tedious task. Most event messages originate from non-suspicious applications such as your browser or Microsoft Edge Webview2. This is used to display web content in Windows programs such as Teams or Outlook. To filter such irrelevant events out of the list, you can load a configuration file in XML format into Sysmon. Building such a file from scratch is not easy. Microsoft has therefore published a simple basic version of such a configuration file on its website. This initially filters out all events relating to drivers with a signature other than Microsoft or Windows. It also filters out all events relating to the termination of processes and to network connections via ports 80 and 443. The classic web protocols HTTP and HTTPS run over these ports. To download the configuration file, open this webpage , scroll down to the Configuration files section and click the Copy button on the right. Paste the text into the Windows Notepad, go to File > Save As , set the file type to All Files (*.*) , change the file extension from .txt to .xml, and save the file under a name of your choice, such as config_sysmon.xml , in any folder. Microsoft has published an example of a Sysmon configuration file on its website. This can be customized by any user as required. Roland Freist The Microsoft employee who created this file is Moti Bani. He has also published an extended version on GitHub with the filename config-v17.xml . Click on the file name on the website and, in the window that opens, click the download icon in the toolbar with the tooltip Download raw file . The file will then be saved to your Downloads folder. Moti Bani regards both files as templates that users can customize according to their own ideas and needs. Guidance on this is available on the Sysmon download page mentioned above or here . Loading a Sysmon configuration To load an XML configuration file with Sysmon, you will again need the Command Prompt with administrator rights. Type the command sysmon.exe -i [path to XML file] there. For example, if the file is called config_sysmon.xml and is located in the C:\Temp folder, the command is sysmon.exe -i C:\Temp\config_sysmon.xml . If you want to switch to a different configuration file, such as config-v17.xml, enter sysmon.exe -i C:\Temp\config-v17.xml — provided, of course, that this file is also located in the C:\Temp folder. If you wish to reset Sysmon to its default state and delete all configurations, use the command sysmon -c — . What to do after the analysis? If a running process or loaded driver seems suspicious, your first step should be to launch your antivirus tool’s virus scanner and run a full scan. Even if this takes several hours. In addition, you can upload the file specified in the event log to VirusTotal and have it analyzed there. Of course, you can also simply use Sysmon to take some of the load off your computer. Consider which of the loaded processes or programs you can do without. Then navigate to the specified path and, as a precaution, simply rename the file for the time being. Restart your computer and see what happens. If no issues arise, you can uninstall the program permanently. Process Monitor versus System Monitor There are various tools available for listing all running processes in full. In addition to Sysmon, these include Process Monitor, or Procmon for short. This too comes from Mark Russinovich or his company Sysinternals. Microsoft hired Russinovich as Chief Technology Officer some time ago and offers the Sysinternals tools for free download . The main difference between Sysmon and Procmon is that Procmon provides a snapshot of all currently running processes. Sysmon, on the other hand, runs continuously in the background and logs the start and end of Windows processes. Procmon is available to download. Sysmon can also be downloaded from Microsoft — as an alternative to installing it via Windows 11. Process Monitor also provides an overview of the loaded services. Unlike Sysmon, however, it only shows a snapshot. Roland Freist
Go to News Site
TechRadar 
Kotaku 
GameSpot 
Techmeme 
Android Headlines 
