For the first time in almost two years, Microsoft's Mark Russinovich has added a new tool to the Sysinternals tool suite. The new tool is Sysmon which monitors for and logs certain specific events.
Sysinternals is a set of Windows utility programs first released in 1996, long before Russinovich joined Microsoft. Almost all were written by Russinovich and his then-partner Bryce Cogswell. Sysmon, written by Russinovich and Thomas Garnier, also of Microsoft, is the 73rd tool in the set, and has been used internally at Microsoft for some time.
The point of Sysmon is to monitor for three specific system events which are often used by malicious processes and which can be difficult to separate from the flood of events in a normal Windows system. Sysmon runs as a service using the Local System account and loads very early in the boot process in order to give the best chance of finding the origin of any problems.
The Sysmon service logs these to the event log:
For Windows Vista and later, Sysmon places these events in the event log in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". For earlier (unsupported) versions of Windows, it places them in the Windows System log.
Sysmon is a command line-only program. Run it with no parameters and it returns its command line syntax:
First you have to accept the license agreement by running sysmon -accepteula. Then you install the service with sysmon -i. Neither installation nor uninstallation requires a reboot.
Once loaded, Sysmon does its job automatically and in the background. Check the results in the Event Viewer:
Sysmon provides only raw event data, not analysis of that data. It is possible for third parties to write analysis tools which read the Sysmon event log and attempt to identify meaningful activity, but for now you have to analyze it the hard way.
Sysmon is just the latest of a series of monitoring tools from Microsoft, many of them from Sysinternals. Some others:
Another extremely useful diagnostic tool is Fiddler, which allows you to debug web traffic and much more. It started out in life as a free Microsoft tool and has since been spun off to an independent company.