Microsoft released an optional cumulative update for Windows 11, and for once, it actually includes something many of you might actually like: it adds Sysmon from Sysinternals to Windows natively, so you no longer have to install it manually. Here’s a refresher on what, exactly, Sysmon does.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. The service runs as a protected process, thus disallowing a wide range of user mode interactions.
↫ Mark Russinovich and Thomas Garnier
After installing the optional cumulative update in question, KB5077241, you can install Sysmon as an optional Windows component. Of course, this is Microsoft we’re talking about, so it’s not quite as straightforward as you’d think. In Windows 11, there’s two places to add optional Windows features, and in the case of Sysmon, you have to go to the old Windows features dialog instead of the new View or edit optional features one. And also, don’t forget to first remove the old Sysmon from Sysinternals in case you have it installed. After installation, run sysmon -i as an administrator to enable the feature.
