In Windows, a great deal remains hidden beneath the surface. As soon as it starts up, the operating system launches several applications, initializes drivers, and checks for new software updates. Many of the programs that Windows loads automatically are then executed as processes in the RAM and run invisibly in the background.
The Task Manager, accessible by right-clicking the taskbar and selecting Task Manager, displays a long list under Processes. However, this is by no means complete; for example, it does not include:
For a complete list of running processes, you will therefore need to use other tools. Early in 2026, Microsoft integrated System Monitor, or Sysmon for short, into the operating system via an update.
Previously, it was available from Microsoft as a standalone download and as part of the Sysinternals suite. Once installed, the program runs invisibly as a service in the background and logs its messages in the Windows Event Log.
To install Sysmon, type system into the search box on the taskbar and click on the Control Panel result. In the icon view, click on Programs > Programs and Features — or in the category view, click on Uninstall a program — and in the window that opens, go to Turn Windows features on or off on the left-hand side.
Scroll down, tick the box next to Sysmon and confirm by clicking OK. Windows will now copy the Sysmon files to your computer. Then click Close and restart your PC.
In a second step, Sysmon is now set up and activated. To do this, launch the Command Prompt by typing the command cmd into the search box on the taskbar. This opens the Start menu with the entry Command Prompt. Click on this on the right-hand side of the window, select Run as administrator and confirm the security prompt.
By default, the Command Prompt displays the folder C:\Windows\System32. The file sysmon.exe is also located in this folder. You can therefore simply enter the command sysmon.exe -i and press the Enter key.
Several system messages will then appear. At the very bottom, you will see Sysmon started. This completes the installation; Sysmon is now running as a service in the background. You can uninstall the tool later using the command sysmon.exe -u.
You can check the installation by typing services into the search box on the taskbar, scrolling down the list and double-clicking the new entry Sysmon. The Startup type should be set to Automatic, and Running should be displayed next to Service type.
Sysmon does not have its own user interface. Instead, the service sends logged events — such as the start and end of programs, as well as notifications about drivers being loaded — to the Event Viewer.
You can open this tool by typing event into the search box on the taskbar and clicking on the Event Viewer result.
In the Event Viewer window, click on the small arrow to the left of Application and Service Logs. It may take a moment for the subfolders to appear. Follow the path Microsoft > Windows > Sysmon > Operational. In the middle pane, you will now see the events that Sysmon has logged.
Please don’t be alarmed, as there can quickly be several thousand entries there. However, this is normal and no cause for concern. Sysmon works very meticulously and records absolutely all program and driver activities on your computer.
Double-click on some of the entries to open them. You will quickly see that most of them are uninteresting. You can identify which application triggered the event by the path next to Image.
Sysmon stores the logged events in a separate file. You can find this in the folder C:\Windows\System32\winevt\Logs under the name Microsoft-Windows-Sysmon%4Operational.evtx.
By default, Event Viewer allows logs up to a size of 65,536 KB, which corresponds to 64MB. Once this limit is reached, Event Viewer overwrites the oldest events. This can happen after just a few days.
It is therefore advisable to increase the maximum log size — for example, to 256MB. To do this, right-click on the Operational folder in Event Viewer and select Properties. In the Logging section, you can change the maximum size accordingly.
If you select an event in the Event Viewer at the top of the middle pane, important explanations appear below it. The third line shows the date and time and when the event occurred.
In the Image line, you will see the full path including the file name, and below that the respective file version. The following four entries contain the description, the product name, the manufacturer and the original file name.
Sysmon is a powerful tool for searching for malware that has embedded itself in the system and remains permanently active there. To analyze the data, scroll through the event list using the arrow keys, paying close attention to any events triggered by unknown or suspicious-looking applications. Also take a close look at any driver changes.
You will quickly realize that searching for suspicious events is a tedious task. Most event messages originate from non-suspicious applications such as your browser or Microsoft Edge Webview2.
This is used to display web content in Windows programs such as Teams or Outlook. To filter such irrelevant events out of the list, you can load a configuration file in XML format into Sysmon.
Building such a file from scratch is not easy. Microsoft has therefore published a simple basic version of such a configuration file on its website. This initially filters out all events relating to drivers with a signature other than Microsoft or Windows.
It also filters out all events relating to the termination of processes and to network connections via ports 80 and 443. The classic web protocols HTTP and HTTPS run over these ports.
To download the configuration file, open this webpage, scroll down to the Configuration files section and click the Copy button on the right.
Paste the text into the Windows Notepad, go to File > Save As, set the file type to All Files (*.*), change the file extension from .txt to .xml, and save the file under a name of your choice, such as config_sysmon.xml, in any folder.
The Microsoft employee who created this file is Moti Bani. He has also published an extended version on GitHub with the filename config-v17.xml.
Click on the file name on the website and, in the window that opens, click the download icon in the toolbar with the tooltip Download raw file. The file will then be saved to your Downloads folder.
Moti Bani regards both files as templates that users can customize according to their own ideas and needs. Guidance on this is available on the Sysmon download page mentioned above or here.
To load an XML configuration file with Sysmon, you will again need the Command Prompt with administrator rights. Type the command sysmon.exe -i [path to XML file] there. For example, if the file is called config_sysmon.xml and is located in the C:\Temp folder, the command is sysmon.exe -i C:\Temp\config_sysmon.xml.
If you want to switch to a different configuration file, such as config-v17.xml, enter sysmon.exe -i C:\Temp\config-v17.xml — provided, of course, that this file is also located in the C:\Temp folder. If you wish to reset Sysmon to its default state and delete all configurations, use the command sysmon -c —.
If a running process or loaded driver seems suspicious, your first step should be to launch your antivirus tool’s virus scanner and run a full scan.
Even if this takes several hours. In addition, you can upload the file specified in the event log to VirusTotal and have it analyzed there.
Of course, you can also simply use Sysmon to take some of the load off your computer. Consider which of the loaded processes or programs you can do without.
Then navigate to the specified path and, as a precaution, simply rename the file for the time being. Restart your computer and see what happens. If no issues arise, you can uninstall the program permanently.
Author: Roland Freist
Source: PCWorld
Reviewed By: Editorial Team
