{
	"id": "b877c3d7-f035-4a1a-b010-6135dd44eccf",
	"created_at": "2026-04-06T00:22:18.053808Z",
	"updated_at": "2026-04-10T03:20:49.52234Z",
	"deleted_at": null,
	"sha1_hash": "713e6e9f985b3ec9f13d358eea88c5cacdf5fc11",
	"title": "Sysmon - Sysinternals",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153492,
	"plain_text": "Sysmon - Sysinternals\r\nBy markruss\r\nArchived: 2026-04-05 16:16:48 UTC\r\nBy Mark Russinovich and Thomas Garnier\r\nPublished: March 26, 2026\r\n Download Sysmon (4.6 MB)\r\nDownload Sysmon for Linux (GitHub)\r\nIntroduction\r\nSystem Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains\r\nresident across system reboots to monitor and log system activity to the Windows event log. It provides detailed\r\ninformation about process creations, network connections, and changes to file creation time. By collecting the\r\nevents it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can\r\nidentify malicious or anomalous activity and understand how intruders and malware operate on your network. The\r\nservice runs as a protected process, thus disallowing a wide range of user mode interactions.\r\nNote that Sysmon does not provide analysis of the events it generates, nor does it attempt to hide itself from\r\nattackers.\r\nOverview of Sysmon Capabilities\r\nSysmon includes the following capabilities:\r\nLogs process creation with full command line for both current and parent processes.\r\nRecords the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.\r\nMultiple hashes can be used at the same time.\r\nIncludes a process GUID in process create events to allow for correlation of events even when Windows\r\nreuses process IDs.\r\nIncludes a session GUID in each event to allow correlation of events on same logon session.\r\nLogs loading of drivers or DLLs with their signatures and hashes.\r\nLogs opens for raw read access of disks and volumes.\r\nOptionally logs network connections, including each connection’s source process, IP addresses, port\r\nnumbers, hostnames and port names.\r\nDetects changes in file creation time to understand when a file was really created. Modification of file\r\ncreate timestamps is a technique commonly used by malware to cover its tracks.\r\nAutomatically reload configuration if changed in the registry.\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 1 of 13\n\nRule filtering to include or exclude certain events dynamically.\r\nGenerates events from early in the boot process to capture activity made by even sophisticated kernel-mode\r\nmalware.\r\nScreenshots\r\nUsage\r\nCommon usage featuring simple command-line options to install and uninstall Sysmon, as well as to check and\r\nmodify its configuration:\r\nInstall: sysmon64 -i [\u003cconfigfile\u003e]\r\nUpdate configuration: sysmon64 -c [\u003cconfigfile\u003e]\r\nInstall event manifest: sysmon64 -m\r\nPrint schema: sysmon64 -s\r\nUninstall: sysmon64 -u [force]\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 2 of 13\n\nParameter Description\r\n-i Install service and driver. Optionally take a configuration file.\r\n-c\r\nUpdate configuration of an installed Sysmon driver or dump the current configuration if no\r\nother argument is provided. Optionally takes a configuration file.\r\n-m Install the event manifest (implicitly done on service install as well).\r\n-s Print configuration schema definition.\r\n-u\r\nUninstall service and driver. Using -u force causes uninstall to proceed even when some\r\ncomponents are not installed.\r\nThe service logs events immediately and the driver installs as a boot-start driver to capture activity from early in\r\nthe boot that the service will write to the event log when it starts.\r\nOn Vista and higher, events are stored in Applications and Services\r\nLogs/Microsoft/Windows/Sysmon/Operational . On older systems, events are written to the System event log.\r\nIf you need more information on configuration files, use the -? config command.\r\nSpecify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively\r\nprompted to accept it.\r\nNeither install nor uninstall requires a reboot.\r\nExamples\r\nInstall with default settings (process images hashed with SHA1 and no network monitoring)\r\nsysmon -accepteula -i\r\nInstall Sysmon with a configuration file (as described below)\r\nsysmon -accepteula -i c:\\windows\\config.xml\r\nUninstall\r\nsysmon -u\r\nDump the current configuration\r\nsysmon -c\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 3 of 13\n\nReconfigure an active Sysmon with a configuration file (as described below)\r\nsysmon -c c:\\windows\\config.xml\r\nChange the configuration to default settings\r\nsysmon -c --\r\nShow the configuration schema\r\nsysmon -s\r\nEvents\r\nOn Vista and higher, events are stored in Applications and Services\r\nLogs/Microsoft/Windows/Sysmon/Operational , and on older systems events are written to the System event log.\r\nEvent timestamps are in UTC standard time.\r\nThe following are examples of each event type that Sysmon generates.\r\nEvent ID 1: Process creation\r\nThe process creation event provides extended information about a newly created process. The full command line\r\nprovides context on the process execution. The ProcessGUID field is a unique value for this process across a\r\ndomain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType\r\nfield.\r\nEvent ID 2: A process changed a file creation time\r\nThe change file creation time event is registered when a file creation time is explicitly modified by a process. This\r\nevent helps tracking the real creation time of a file. Attackers may change the file creation time of a backdoor to\r\nmake it look like it was installed with the operating system. Note that many processes legitimately change the\r\ncreation time of a file; it does not necessarily indicate malicious activity.\r\nEvent ID 3: Network connection\r\nThe network connection event logs TCP/UDP connections on the machine. It is disabled by default. Each\r\nconnection is linked to a process through the ProcessId and ProcessGuid fields. The event also contains the\r\nsource and destination host names IP addresses, port numbers and IPv6 status.\r\nEvent ID 4: Sysmon service state changed\r\nThe service state change event reports the state of the Sysmon service (started or stopped).\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 4 of 13\n\nEvent ID 5: Process terminated\r\nThe process terminate event reports when a process terminates. It provides the UtcTime , ProcessGuid and\r\nProcessId of the process.\r\nEvent ID 6: Driver loaded\r\nThe driver loaded events provides information about a driver being loaded on the system. The configured hashes\r\nare provided as well as signature information. The signature is created asynchronously for performance reasons\r\nand indicates if the file was removed after loading.\r\nEvent ID 7: Image loaded\r\nThe image loaded event logs when a module is loaded in a specific process. This event is disabled by default and\r\nneeds to be configured with the \" –l \" option. It indicates the process in which the module is loaded, hashes and\r\nsignature information. The signature is created asynchronously for performance reasons and indicates if the file\r\nwas removed after loading. This event should be configured carefully, as monitoring all image load events will\r\ngenerate a significant amount of logging.\r\nEvent ID 8: CreateRemoteThread\r\nThe CreateRemoteThread event detects when a process creates a thread in another process. This technique is\r\nused by malware to inject code and hide in other processes. The event indicates the source and target process. It\r\ngives information on the code that will be run in the new thread: StartAddress , StartModule and\r\nStartFunction . Note that StartModule and StartFunction fields are inferred, they might be empty if the\r\nstarting address is outside loaded modules or known exported functions.\r\nEvent ID 9: RawAccessRead\r\nThe RawAccessRead event detects when a process conducts reading operations from the drive using the \\\\.\\\r\ndenotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as\r\nwell as to avoid file access auditing tools. The event indicates the source process and target device.\r\nEvent ID 10: ProcessAccess\r\nThe process accessed event reports when a process opens another process, an operation that’s often followed by\r\ninformation queries or reading and writing the address space of the target process. This enables detection of\r\nhacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to\r\nsteal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant amounts of logging if there\r\nare diagnostic utilities active that repeatedly open processes to query their state, so it generally should only be\r\ndone so with filters that remove expected accesses.\r\nEvent ID 11: FileCreate\r\nFile create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart\r\nlocations, like the Startup folder, as well as temporary and download directories, which are common places\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 5 of 13\n\nmalware drops during initial infection.\r\nEvent ID 12: RegistryEvent (Object create and delete)\r\nRegistry key and value create and delete operations map to this event type, which can be useful for monitoring for\r\nchanges to Registry autostart locations, or specific malware registry modifications.\r\nSysmon uses abbreviated versions of Registry root key names, with the following mappings:\r\nKey name Abbreviation\r\nHKEY_LOCAL_MACHINE HKLM\r\nHKEY_USERS HKU\r\nHKEY_LOCAL_MACHINE\\System\\ControlSet00x HKLM\\System\\CurrentControlSet\r\nHKEY_LOCAL_MACHINE\\Classes HKCR\r\nEvent ID 13: RegistryEvent (Value Set)\r\nThis Registry event type identifies Registry value modifications. The event records the value written for Registry\r\nvalues of type DWORD and QWORD .\r\nEvent ID 14: RegistryEvent (Key and Value Rename)\r\nRegistry key and value rename operations map to this event type, recording the new name of the key or value that\r\nwas renamed.\r\nEvent ID 15: FileCreateStreamHash\r\nThis event logs when a named file stream is created, and it generates events that log the hash of the contents of the\r\nfile to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are\r\nmalware variants that drop their executables or configuration settings via browser downloads, and this event is\r\naimed at capturing that based on the browser attaching a Zone.Identifier \"mark of the web\" stream.\r\nEvent ID 16: ServiceConfigurationChange\r\nThis event logs changes in the Sysmon configuration - for example when the filtering rules are updated.\r\nEvent ID 17: PipeEvent (Pipe Created)\r\nThis event generates when a named pipe is created. Malware often uses named pipes for interprocess\r\ncommunication.\r\nEvent ID 18: PipeEvent (Pipe Connected)\r\nThis event logs when a named pipe connection is made between a client and a server.\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 6 of 13\n\nEvent ID 19: WmiEvent (WmiEventFilter activity detected)\r\nWhen a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI\r\nnamespace, filter name and filter expression.\r\nEvent ID 20: WmiEvent (WmiEventConsumer activity detected)\r\nThis event logs the registration of WMI consumers, recording the consumer name, log, and destination.\r\nEvent ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)\r\nWhen a consumer binds to a filter, this event logs the consumer name and filter path.\r\nEvent ID 22: DNSEvent (DNS query)\r\nThis event is generated when a process executes a DNS query, whether the result is successful or fails, cached or\r\nnot. The telemetry for this event was added for Windows 8.1 so it is not available on Windows 7 and earlier.\r\nEvent ID 23: FileDelete (File Delete archived)\r\nA file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory\r\n(which is C:\\Sysmon by default). Under normal operating conditions this directory might grow to an\r\nunreasonable size - see event ID 26: FileDeleteDetected for similar behavior but without saving the deleted\r\nfiles.\r\nEvent ID 24: ClipboardChange (New content in the clipboard)\r\nThis event is generated when the system clipboard contents change.\r\nEvent ID 25: ProcessTampering (Process image change)\r\nThis event is generated when process hiding techniques such as \"hollow\" or \"herpaderp\" are being detected.\r\nEvent ID 26: FileDeleteDetected (File Delete logged)\r\nA file was deleted.\r\nEvent ID 27: FileBlockExecutable\r\nThis event is generated when Sysmon detects and blocks the creation of executable files (PE format).\r\nEvent ID 28: FileBlockShredding\r\nThis event is generated when Sysmon detects and blocks file shredding from tools such as SDelete.\r\nEvent ID 29: FileExecutableDetected\r\nThis event is generated when Sysmon detects the creation of a new executable file (PE format).\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 7 of 13\n\nEvent ID 255: Error\nThis event is generated when an error occurred within Sysmon. They can happen if the system is under heavy load\nand certain tasks could not be performed or a bug exists in the Sysmon service, or even if certain security and\nintegrity conditions are not met. You can report any bugs on the Sysinternals forum.\nConfiguration files\nConfiguration files can be specified after the -i (installation) or -c (installation) configuration switches. They make\nit easier to deploy a preset configuration and to filter captured events.\nA simple configuration xml file looks like this:\n*microsoftwindows44380 ![]()iexplore.exe The configuration file contains a schemaversion attribute on the Sysmon tag. This version is independent from the\nSysmon binary version and allows the parsing of older configuration files. You can get the current schema version\nby using the \" -? config \" command line. Configuration entries are directly under the Sysmon tag and filters are\nunder the EventFiltering tag.\nConfiguration Entries\nConfiguration entries are similar to command line switches and include the following\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\nPage 8 of 13\n\nConfiguration entries include the following:\nEntry Value Description\nArchiveDirectory String\nName of directories at volume roots into which copy-on-delete files\nare moved. The directory is protected with a System ACL (you can\nuse PsExec from Sysinternals to access the directory using psexec\n-sid cmd ). Default: Sysmon\nCheckRevocation Boolean Controls signature revocation checks. Default: True\nCopyOnDeletePE Boolean Preserves deleted executable image files. Default: False\nCopyOnDeleteSIDs Strings\nComma-separated list of account SIDs for which file deletes will be\npreserved.\nCopyOnDeleteExtensions Strings Extensions for files that are preserved on delete.\nCopyOnDeleteProcesses Strings Process name(s) for which file deletes will be preserved.\nDnsLookup Boolean Controls reverse DNS lookup. Default: True\nDriverName String Uses specified name for driver and service images.\nHashAlgorithms Strings\nHash algorithm(s) to apply for hashing. Algorithms supported\ninclude MD5, SHA1, SHA256, IMPHASH and * (all). Default:\nNone\nCommand line switches have their configuration entry described in the Sysmon usage output. Parameters are\noptional based on the tag. If a command line switch also enables an event, it needs to be configured though its\nfilter tag. You can specify the -s switch to have Sysmon print the full configuration schema, including event\ntags as well as the field names and types for each event. For example, here’s the schema for the RawAccessRead\nevent type:\nEvent filtering entries\nEvent filtering allows you to filter generated events. In many cases events can be noisy and gathering everything\nis not possible. For example, you might be interested in network connections only for a certain process, but not all\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\nPage 9 of 13\n\nof them. You can filter the output on the host reducing the data to collect.\r\nEach event has its own filter tag under the EventFiltering node in a configuration file:\r\nID Tag Event\r\n1 ProcessCreate Process Create\r\n2 FileCreateTime File creation time\r\n3 NetworkConnect Network connection detected\r\n4 n/a Sysmon service state change (cannot be filtered)\r\n5 ProcessTerminate Process terminated\r\n6 DriverLoad Driver Loaded\r\n7 ImageLoad Image loaded\r\n8 CreateRemoteThread CreateRemoteThread detected\r\n9 RawAccessRead RawAccessRead detected\r\n10 ProcessAccess Process accessed\r\n11 FileCreate File created\r\n12 RegistryEvent Registry object added or deleted\r\n13 RegistryEvent Registry value set\r\n14 RegistryEvent Registry object renamed\r\n15 FileCreateStreamHash File stream created\r\n16 n/a Sysmon configuration change (cannot be filtered)\r\n17 PipeEvent Named pipe created\r\n18 PipeEvent Named pipe connected\r\n19 WmiEvent WMI filter\r\n20 WmiEvent WMI consumer\r\n21 WmiEvent WMI consumer filter\r\n22 DnsQuery DNS query\r\n23 FileDelete File Delete archived\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 10 of 13\n\nID Tag Event\r\n24 ClipboardChange New content in the clipboard\r\n25 ProcessTampering Process image change\r\n26 FileDeleteDetected File Delete logged\r\n27 FileBlockExecutable File Block Executable\r\n28 FileBlockShredding File Block Shredding\r\n29 FileExecutableDetected File Executable Detected\r\nYou can also find these tags in the event viewer on the task name.\r\nThe onmatch filter is applied if events are matched. It can be changed with the onmatch attribute for the filter\r\ntag. If the value is \"include\" , it means only matched events are included. If it is set to \"exclude\" , the event\r\nwill be included except if a rule match. You can specify both an include filter set and an exclude filter set for each\r\nevent ID, where exclude matches take precedence.\r\nEach filter can include zero or more rules. Each tag under the filter tag is a field name from the event. Rules that\r\nspecify a condition for the same field name behave as OR conditions, and ones that specify different field name\r\nbehave as AND conditions. Field rules can also use conditions to match a value. The conditions are as follows (all\r\nare case insensitive):\r\nCondition Description\r\nis Default, values are equals\r\nis any The field is one of the ; delimited values\r\nis not Values are different\r\ncontains The field contains this value\r\ncontains any The field contains any of the ; delimited values\r\ncontains all The field contains all of the ; delimited values\r\nexcludes The field does not contain this value\r\nexcludes any The field does not contain one or more of the ; delimited values\r\nexcludes all The field does not contain any of the ; delimited values\r\nbegin with The field begins with this value\r\nend with The field ends with this value\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 11 of 13\n\nCondition Description\r\nnot begin\r\nwith\r\nThe field does not begin with this value\r\nnot end with The field does not end with this value\r\nless than Lexicographical comparison is less than zero\r\nmore than Lexicographical comparison is more than zero\r\nimage\r\nMatch an image path (full path or only image name). For example: lsass.exe will match\r\nc:\\windows\\system32\\lsass.exe\r\nYou can use a different condition by specifying it as an attribute. This excludes network activity from processes\r\nwith iexplore.exe in their path:\r\n\u003cNetworkConnect onmatch=\"exclude\"\u003e\r\n \u003cImage condition=\"contains\"\u003eiexplore.exe\u003c/Image\u003e\r\n\u003c/NetworkConnect\u003e\r\nTo have Sysmon report which rule match resulted in an event being logged, add names to rules:\r\n\u003cNetworkConnect onmatch=\"exclude\"\u003e\r\n \u003cImage name=\"network iexplore\" condition=\"contains\"\u003eiexplore.exe\u003c/Image\u003e\r\n\u003c/NetworkConnect\u003e\r\nYou can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a\r\nrule, filter conditions have OR behavior.\r\nIn the sample configuration shown earlier, the networking filter uses both an include and exclude rule to capture\r\nactivity to port 80 and 443 by all processes except those that have iexplore.exe in their name.\r\nIt is also possible to override the way that rules are combined by using a rule group which allows the rule combine\r\ntype for one or more events to be set explicitly to AND or OR.\r\nThe following example demonstrates this usage. In the first rule group, a process create event will be generated\r\nwhen timeout.exe is executed only with a command line argument of 100 , but a process terminate event will\r\nbe generated for the termination of ping.exe and timeout.exe .\r\n \u003cEventFiltering\u003e\r\n \u003cRuleGroup name=\"group 1\" groupRelation=\"and\"\u003e\r\n \u003cProcessCreate onmatch=\"include\"\u003e\r\n \u003cImage condition=\"contains\"\u003etimeout.exe\u003c/Image\u003e\r\n \u003cCommandLine condition=\"contains\"\u003e100\u003c/CommandLine\u003e\r\n \u003c/ProcessCreate\u003e\r\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\r\nPage 12 of 13\n\ntimeout.exeping.exe Download Sysmon (4.6 MB)\nRuns on:\nClient: Windows 10 and higher.\nServer: Windows Server 2016 and higher.\nSource: https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\nhttps://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread"
	],
	"report_names": [
		"sysmon#event-id-9-rawaccessread"
	],
	"threat_actors": [],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/713e6e9f985b3ec9f13d358eea88c5cacdf5fc11.pdf",
		"text": "https://archive.orkl.eu/713e6e9f985b3ec9f13d358eea88c5cacdf5fc11.txt",
		"img": "https://archive.orkl.eu/713e6e9f985b3ec9f13d358eea88c5cacdf5fc11.jpg"
	}
}