What's Up With Sysmon and the Windows Event Viewer?

As I was learning the basics of IT, discovering tools like Sysmon & PsExec was a "red pill" experience. The Sysinternals book by Russinovich and Margosis has a chapter dedicated to Sysmon that's essential reading for any Windows sysadmin.

Great video! I might also make a video on this showcasing how you can detect Malware on Event Viewer.

The Event Viewer is also maliciously used by scammers to make people think there are things wrong with their computer to try and get them to pay for a solution. More explanations about how it works being out in the wild, such as this, is a great thing to help educate people!

Ingest that data into a big data system like splunk, and you basically have a Security Information & Event Managent (SIEM) system.
With these tools you can run automated searches on scale over your whole infrastructure, which then again notifies you if anything malicious is found.
In a nutshell a security analysts job in a security operations center.

As someone who has trolled through the Windows Event log for decades looking for cryptic clues as to what happened, this was awesome! My main PC started randomly hard locking today for no reason so I wonder if this will catch anything...

I love the team at Level1Techs, Wendell is great thoroughly helpful/knowledgeable, Kreestuh is skillful with design and her drawing on iPad reviews are incredible, Ryan with his sarcasm and dry humor gets me every time!
Thank you everyone for all you do! I am happy to consume your videos anytime.

Always an excellent learning experience watching your videos! I have battled the EV dragon for decades, and am looking forward to using Sysmon on a deeper level in this approach to debugging the relentless EV error logs.

Good video! I've been troubleshooting a memory overclock (most of the problems stemming from a motherboard BIOS with questionable UX), and had to set up a custom view in event viewer to find WHEA errors. I've used other Sysinternals programs before but Sysmon never occurred to me. Thanks for the tip!

Thanks for making me check my event logs. I had over 50000 entries about an NVIDIA service that couldn't start.

I was totally fooled into checking my e-mail by the alert sound at 8:49

The Event Viewer has been both really useful to me and also really useless sometimes too. Or maybe sometimes an event I'm interested in will show up in the Event Viewer but have almost if not completely useless information about it.
Linux doesn't have these logging issues whatsoever. If there's a problem anywhere at ALL, it will be in the logs in some form and it will be thorough enough to diagnose issues, but not so thorough as to be filled with overly obtuse technical jargon. (95% of the time anyway.)

Prefect timing for this video. Been trying to troubleshooting AMD Driver issues with amdwddmg warning and Live Kernel Event 141 errors

Fue increíble vivirlo arriba del escenario, participar como cámara y editar esto. Muy muy agradecido. Felicitaciones a los pibes, staff, nuestro equipo de Zelaya y a Farolatino. Histórico!

Thanks for this, lot more I can look into issues at work with this

A really very clear and accessible review of the bot turned out!!!

Please upload more content about diagnosing BSOD with the Event Viewer!

Fitting that I see this video after trying to figure out why Windows failover was borked at work and the Event logs were..less that helpful. (SwiftOnSecurity is a great person to follow for bits of IT knowledge ...and memes.)

Event viewer is amazing. When I was working as a POS tech, I used it on A LOT of service calls. Used it for personal use when errors or games crash

You know it's gonna be a good video when ever Mr Russinovich shares it on Twitter! Learnt a lot, thank you!

You can also make a custom trigger event for a service by listening to an event, like process creation for example, to make a service start when a certain program starts.

This is very useful, thank you. I'd love to see a video like this on Linux.

Can someone elaborate how I can send my Windows Events from a Windows 10 Pro to my Linux Syslog Server without an third party agent? The Windows Event Forwarder only works for sending the logs to another Windows Client..

Where is the video about the blue screen mentioned in in cca 2nd minute? Thanx

great info!

Yessss more content like this!!! ❤️

THANK YOU SO MUCH

I have some instability currently and the vanilla Windows Event Log doesn't give me the information I need. The Sysmon will come in very handy. Thanks a lot!

you're a very good teacher :)

This, this is why i come here. Do more stuff like this. Let's set up our log server. What do you recommend for open source logging solutions?

I know you said don't send event logs to a syslog system but I still would like to try using it with the GrayLog Illuminate Package. Too bad it's an enterprise only feature not in the community edition of GrayLog

Thanks Wendell

Every time I open something it gives me a code, I look the code up and it's usually a general error code with no description of what can cause it

Thanks to Mark Russinovich for linking to this. The best guide for the sysmon config I've found.

Thank you  sir

this is a great video.

I am very experienced with the Windows Event Log because of the headache that is USB

"View Reliability history" is another great tool to keep in your toolbox for windows diagnostics.

Mark is, to reference a famous yet apt quote, a righteous dude.

I always use the Event Viewer! It saved my PC a lot of times when my system was acting up!!! I recommend everyone use the Event Viewer!!!

I've read once you've got a config.xml file you're happy with, once loaded you should delete it as anyone that gets on will look for a config file if they see sysmon to see what you're logging.

Yeap, sysinternals tools are AWESOME!

The outlook dings get me so screwed up lol

This is cool it worked thxGuys it really works, I checked.

A video like this for Linux-users would be interesting.

I'm seriously considering building an altar to Wendell, i've learned so much stuff from him that i use everyday

Tack!

yep, the built in Logging is pretty good.

Speaking of GeForce Experience: Would you recommend people use the programs _NvSlimmer_ or _NVCleanstall_ to get rid of the Nvidia bloatware? I personally use Slimmer, as it installs a signed driver. And both do a decent job of explaining what you are removing from the driver pack.

I mean Wendell that's why you run a RD Gateway and log everything with a Directory system ;)

Very handy tool, thank you for good info!

Me watching this video today is IRONIC. For the first time in over 10 years of being in the field I plugged in an USB thumbdrive and it blue screened my desktop. haha

Wish there was a decent integration with Home Assistant.

Proceed with caution, the sysmon driver often failed to load/unload properly causing windows to hang at shutdown and startup unpredictably in our environment.

Yea, EV is and has been a great tool. You can organize it and it's easy to find issues quick (mostly... Win lol)

oddly convenient... I've been having serious issues with Windows 10 becoming completely unfunctional when network drives are not available to it... Somehow the entire OS becomes unstable as fuck. Copy paste is broken, search is broken, rendering of the explorer window is glitchy and corrupt.. more than 400 instances of services. it's insane.... When you reboot and the computer as access to those drives again, it's all fine and dandy again..

This absolutely needs a gui :)

CORRECTION: Sysmon isn't "From MS", and is a SysInternals tool, AND ISN'T OFFICIALLY supported by MS - If you have an issue on an enterprise server, and they find it's Sysmon related, they will close the support case as Sysmon isn't supported.

emphasis on "if you can reAD! and have a pulse!"

I have "lovely" mouse that when i plug it on it blue screen my system , i need to plug it on a first boot being in bios to make it safe , and work after a post xD

Event Viewer is a headache IMO

Theres so many of them that only use walls.. they think if they still

You wanna do sysmon64 -accepteula if doing this remote so the eula is accepted. Stupid lawyers.
I do sysmon64.exe -accepteula -i nameofconfig.xml

Wait, what? The EventViewer is *overwhelming* ? Did I switch dimensions or something?
The Tool (not the content) is massively *underwhelming* to me. Seriously, that thing was badly designed even for the 90ies. Also: How the hell can this thing still look like in Win95 *and* still take like 20 Seconds to show useful content after the first start on modern hardware that's literally *orders of magnitude* faster?
Edit: I have to agree with the description of Sysmon, though. I'm pretty sure "that should just be shipped with Windows" is basically the SysInternals tagline. Literally every one of Russinovich's tools is drastically better than the built-in alternatives.

sysinternals stuff was all borderline rootkit, horrible security risks in enterprise, procmon has some unique uses

Oh hai.

Wendell, let me help you with making videos. Please. I sometimes lose my patience a little bit. ;)
When you start talking about a thing ("Let me introduce you to Sysmon"), PLEASE let the very next sentence be a very concise one about what this thing is. Don't take 5-10 sentences of "suspension" where you let the viewer/listener figure this out on their own. You could even start the whole video with "This video is about Sysmon. Sysmon is a piece of software that lets you customize/filter the Windows event log. To understand this you need to know about the Windows event log. So let me introduce you to this first." Imagine that! Straight forward, simple, easy to understand. :)
Also please only show b-roll footage if it is illustrating what you are talking about right at that moment! Don't repeat footage while you are talking about something different, just to show something at all. Because then the viewer is busy trying to figure out in what relationship the footage is to what you are talking about, getting confused in the process. Let everything you show be in a clear and direct relationship to what you are talking about right in that moment.
And if you are talking about digging deeper when trying to figure out which drive is throwing errors, either show the process of figuring this out all the way or don't show it at all. Don't just show it half the way. You are leaving the user mentally busy while you return to the actual topic.

Event Viewer isn't USUALLY helpful in figuring out WHY specific games (or a specific game) are crashing if it is actually just their own issue, right?... Or something you probably can't solve.

Even viewer is almost useless (in its basic forms). Only filled nonsense and thousands of Distributed COM.
I had forgot i installed this config a couple of years ago. Boy have the xml changed :)

first

Windows has a message center now. They should just dump every event there! Warnings and errors. Probably a simple 3rd party service could do it, too.

6:04 6:37 stupid Powershell :D

Thanks to all the complaining about $400 pans in the news I just got an ad for a $400 pan.

Ding 🛎 Ding 🛎 Windows will restart in 60 seconds (ignoring “pause updates”, unable to permanently full stop updates)