Next year, you will be able to gain instant threat visibility and streamline security operations with System Monitor (Sysmon) functionality natively available in Windows!
Part of Sysinternals, Sysmon has long been the go-to tool for IT admins, security professionals, and threat hunters seeking deep visibility into Windows systems. It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations. Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks.
But deploying and maintaining Sysmon across a digital estate has been a manual, time-consuming task. You’ve downloaded binaries and applied updates consistently across thousands of endpoints. Operational overheads introduce risk when updates lag. And a lack of official customer support for Sysmon in production environments poses added risk and additional maintenance overhead for your organization.
Not anymore!
Sysmon functionality available in Windows: Why it matters
Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows. Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log, enabling a wide range of use cases including by security applications.
What operational pain points does it solve for you?
- Instant threat visibility
- Same rich functionality, including support for custom configuration files
- No separate download or manual deployment
- Automated compliance as updates flow through Windows Update
- Reduced operational risk
- Customer service support
Here’s how Sysmon functionality available in Windows aligns with Microsoft Secure Future Initiative (SFI) pillars:
- Helps reduce complexity and eliminate gaps caused by manual deployments (Secure by design).
- Helps make advanced security diagnostic data available out-of-the-box (Secure operations).
Key capabilities and how to use them
Sysmon functionality in Windows with its configurable and filterable events is easy to activate and provides rich, customizable detection signals through your familiar tools. Sysmon remains up to date with all the necessary fixes and new features thanks to monthly Windows updates.
Activate Sysmon functionality in Windows
Next year, you can enable the Sysmon functionality in Windows by using the Turn Windows feature on/off capability.
Then install it with a single command via the Command Prompt or cmd.exe:
sysmon -i
This command installs the driver and starts the Sysmon service immediately with the default configuration. Comprehensive documentation will be available at general availability.
Detect threat through rich signals
Sysmon functionality in Windows delivers rich, built-in detection signals that power advanced threat detection and forensic analysis. Instead of requiring additional software deployment, get these signals from any of the following:
- Windows event logs in Applications and Services Logs / Microsoft/Windows/Sysmon/Operational
- Applications such as SIEMs
Whatever channel you use, here are examples of Sysmon detection events you can audit:
- Event ID 1 – Process creation
Detects suspicious command-line activity (e.g., powershell -nop -w hidden) often used in fileless attacks. - Event ID 3 – Network connection
Flags unexpected outbound connections (e.g., 185.199.x.x:443) that could indicate Command and Control (C2) traffic. - Event ID 8 – Process access
Exposes credential dumping attempts (e.g., Local Security Authority Subsystem Service (LSASS) memory access by comsvcs.dll). - Event ID 11 – File creation
Detects creation of suspicious scripts in temp directories (e.g., C:\Users\Public\temp\update.ps1). - Event ID 25 – Process tampering
Identifies process hollowing and herpaderping techniques used to hide malware. - Event ID 20 & 21 – WMI events
Captures Windows Management Instrumentation (WMI) persistence mechanisms (e.g., WmiEventConsumer activity).
For a full list of events and how to configure them, consult Sysmon – Sysinternals.
Get started with Sysmon functionality in Windows
Sysmon functionality will be broadly available in upcoming Windows updates next year. To get started today:
- Explore GitHub community configuration templates: Sysmon configuration file template with default high-quality event tracing and Sysmon configuration repository.
- Visit the Windows Server booth at Microsoft Ignite and try Sysmon functionality in Windows.
- Share feedback at syssite@microsoft.com. Your input shapes the next chapter of threat detection on Windows.
Bringing Sysmon functionality in Windows is just the beginning. We plan to continue investing in additional capabilities such as enterprise-scale management and AI-powered inferencing. Imagine detecting credential theft attempts or lateral movement patterns so quickly, powered by granular diagnostic data and AI inference running locally on the device. This is a game-changer for enterprise security — combining rich OS-level signals with edge AI to help reduce dwell time and improve resilience.
Securing the present, innovating for the future
Security is a shared responsibility. Through collaboration across hardware and software ecosystems, we can build more resilient systems secure by design and by default, from Windows to the cloud, enabling trust at every layer of the digital experience.
The updated Windows Security book and Windows Server Security book are available to help you understand how to stay secure with Windows. Learn more about Windows 11, Windows Server, and Copilot+ PCs. To learn more about Microsoft Security Solutions, visit our website.
Bookmark the Security blog to keep up with our expert coverage on security matters.
Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us on LinkedIn or @MSWindowsITPro for updates. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft