What's Up With Sysmon and the Windows Event Viewer?
HTML-код
- Опубликовано: 4 май 2022
- SwiftOnSecurity's Sysmon XML Config file: github.com/SwiftOnSecurity/sy...
Remote desktop tracking article: woshub.com/rdp-connection-logs...
Forum thread coming soon!
**********************************
Check us out online at the following places:
+ Website: level1techs.com/
+ Forums: forum.level1techs.com/
+ Store: store.level1techs.com/
+ Patreon: / level1
+ L1 Twitter: / level1techs
+ L1/PGP Streaming: / teampgp
+ Business Inquiries/Brand Integrations: Queries@level1techs.com
IMPORTANT Any email lacking “level1techs.com” should be ignored and immediately reported to Queries@level1techs.com.
-------------------------------------------------------------------------------------------------------------
Intro and Outro Music By: Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
creativecommons.org/licenses/b... Наука
As I was learning the basics of IT, discovering tools like Sysmon & PsExec was a "red pill" experience. The Sysinternals book by Russinovich and Margosis has a chapter dedicated to Sysmon that's essential reading for any Windows sysadmin.
Look back at all Mark's Case of the Unexplained and Aaron's talks. You'll learn a lot from them. I have most of them on my channel as Microsoft lost a lot of them, Mark has some on his. I watch them while working, have them running in background to listen to. Quite a few times I'll hear them talk about something I've not noticed before and will watch the video again. Learn something new every time.
@@TheStevenWhiting I'm already a subscriber of your channel :)
@@50PullUps Nice :)
Great video! I might also make a video on this showcasing how you can detect Malware on Event Viewer.
Also good for working out why something does not work.
The Event Viewer is also maliciously used by scammers to make people think there are things wrong with their computer to try and get them to pay for a solution. More explanations about how it works being out in the wild, such as this, is a great thing to help educate people!
Ingest that data into a big data system like splunk, and you basically have a Security Information & Event Managent (SIEM) system.
With these tools you can run automated searches on scale over your whole infrastructure, which then again notifies you if anything malicious is found.
In a nutshell a security analysts job in a security operations center.
As someone who has trolled through the Windows Event log for decades looking for cryptic clues as to what happened, this was awesome! My main PC started randomly hard locking today for no reason so I wonder if this will catch anything...
That was Wendell in your PC.
Mine been doing that for years. Event Viewer only give the most helpful hint: "The system has rebooted without cleanly shutting down first. " The rest of the logs gives no clue what so ever.
I blame recent systems. My oc'd sandy would run error free for years, bought alder lake, already had a hard freeze after a month, stock. Ryzen also has issues.
I love the team at Level1Techs, Wendell is great thoroughly helpful/knowledgeable, Kreestuh is skillful with design and her drawing on iPad reviews are incredible, Ryan with his sarcasm and dry humor gets me every time!
Thank you everyone for all you do! I am happy to consume your videos anytime.
Always an excellent learning experience watching your videos! I have battled the EV dragon for decades, and am looking forward to using Sysmon on a deeper level in this approach to debugging the relentless EV error logs.
Good video! I've been troubleshooting a memory overclock (most of the problems stemming from a motherboard BIOS with questionable UX), and had to set up a custom view in event viewer to find WHEA errors. I've used other Sysinternals programs before but Sysmon never occurred to me. Thanks for the tip!
Thanks for making me check my event logs. I had over 50000 entries about an NVIDIA service that couldn't start.
I was totally fooled into checking my e-mail by the alert sound at 8:49
The Event Viewer has been both really useful to me and also really useless sometimes too. Or maybe sometimes an event I'm interested in will show up in the Event Viewer but have almost if not completely useless information about it.
Linux doesn't have these logging issues whatsoever. If there's a problem anywhere at ALL, it will be in the logs in some form and it will be thorough enough to diagnose issues, but not so thorough as to be filled with overly obtuse technical jargon. (95% of the time anyway.)
Prefect timing for this video. Been trying to troubleshooting AMD Driver issues with amdwddmg warning and Live Kernel Event 141 errors
There's something real weird with the current amd drivers and the way it interacts with the tpm. Hard to tell if it's a bug or a bandaid solution for some other deeper bug lol
@@christopherjackson2157 Not drivers, but BIOS issues, AMD said that they were going to release a new version that fixes those issues with TPM, i don't know if it is live yet though.
@@jairo8746 the amd website says it'll be live may 22
Fue increíble vivirlo arriba del escenario, participar como cámara y editar esto. Muy muy agradecido. Felicitaciones a los pibes, staff, nuestro equipo de Zelaya y a Farolatino. Histórico!
Thanks for this, lot more I can look into issues at work with this
A really very clear and accessible review of the bot turned out!!!
Please upload more content about diagnosing BSOD with the Event Viewer!
Yes please do.
Fitting that I see this video after trying to figure out why Windows failover was borked at work and the Event logs were..less that helpful. (SwiftOnSecurity is a great person to follow for bits of IT knowledge ...and memes.)
Event viewer is amazing. When I was working as a POS tech, I used it on A LOT of service calls. Used it for personal use when errors or games crash
You know it's gonna be a good video when ever Mr Russinovich shares it on Twitter! Learnt a lot, thank you!
You can also make a custom trigger event for a service by listening to an event, like process creation for example, to make a service start when a certain program starts.
This is very useful, thank you. I'd love to see a video like this on Linux.
Can someone elaborate how I can send my Windows Events from a Windows 10 Pro to my Linux Syslog Server without an third party agent? The Windows Event Forwarder only works for sending the logs to another Windows Client..
Where is the video about the blue screen mentioned in in cca 2nd minute? Thanx
great info!
Yessss more content like this!!! ❤️
THANK YOU SO MUCH
I have some instability currently and the vanilla Windows Event Log doesn't give me the information I need. The Sysmon will come in very handy. Thanks a lot!
you're a very good teacher :)
This, this is why i come here. Do more stuff like this. Let's set up our log server. What do you recommend for open source logging solutions?
I know you said don't send event logs to a syslog system but I still would like to try using it with the GrayLog Illuminate Package. Too bad it's an enterprise only feature not in the community edition of GrayLog
Thanks Wendell
Every time I open something it gives me a code, I look the code up and it's usually a general error code with no description of what can cause it
Thanks to Mark Russinovich for linking to this. The best guide for the sysmon config I've found.
Thank you sir
this is a great video.
I am very experienced with the Windows Event Log because of the headache that is USB
"View Reliability history" is another great tool to keep in your toolbox for windows diagnostics.
Mark is, to reference a famous yet apt quote, a righteous dude.
I always use the Event Viewer! It saved my PC a lot of times when my system was acting up!!! I recommend everyone use the Event Viewer!!!
I've read once you've got a config.xml file you're happy with, once loaded you should delete it as anyone that gets on will look for a config file if they see sysmon to see what you're logging.
Yeap, sysinternals tools are AWESOME!
The outlook dings get me so screwed up lol
This is cool it worked thxGuys it really works, I checked.
A video like this for Linux-users would be interesting.
I'm seriously considering building an altar to Wendell, i've learned so much stuff from him that i use everyday
Tack!
SVERIGE
thank you!
yep, the built in Logging is pretty good.
Speaking of GeForce Experience: Would you recommend people use the programs _NvSlimmer_ or _NVCleanstall_ to get rid of the Nvidia bloatware? I personally use Slimmer, as it installs a signed driver. And both do a decent job of explaining what you are removing from the driver pack.
How did you manage to comment 7 days ago on a video that has been posted only 1 hour ago (according to RUclips). I'm confused.
Back on topic; NVCleanstall also allows you to rebuild the digital signature now, but I'm not sure if the method differs.
@@ObscenePizza Patreon supporters get early access to videos.
@@ObscenePizza @ObscenePizza @ObscenePizza How can I comment on a video that isn't public? It's the power of omnipresence 😇 . No I'm just joking, I am a Patreon member, and one of the benefits is seeing some of their content posted early.
Thanks for responding to my question. I really appreciate it. Never spoken to someone who wasn't from the U.S. on here. It'd be nice to hear from Wendell about this one, as I feel it's something worth investigating thoroughly. The rest is more or less a rant you don't have to read...
The example I speak of is removing specific aspects of the driver package, and if it's more of a hindrance than a benefit. Will tearing apart the drivers cause our computers to operate suboptimally/introduce instability while using 3D applications? A lot of streamers have traded in OBS for Geforce Experience, and I don't understand why. Even my Maxwell series Titan X (7 years old now) supports the newest NvEn Hardware encoding to either 2K @ 60 FPS , or 4K @ 30 fps without significant impacts to performance. When GeForce Experience was bundled with the display driver, and initially there wasn't a choice to install _the display driver only._ I swore off any drivers that contained it/telemetry. Finding those programs was a godsend imho.
I mean Wendell that's why you run a RD Gateway and log everything with a Directory system ;)
Very handy tool, thank you for good info!
Me watching this video today is IRONIC. For the first time in over 10 years of being in the field I plugged in an USB thumbdrive and it blue screened my desktop. haha
Wish there was a decent integration with Home Assistant.
Proceed with caution, the sysmon driver often failed to load/unload properly causing windows to hang at shutdown and startup unpredictably in our environment.
Yea, EV is and has been a great tool. You can organize it and it's easy to find issues quick (mostly... Win lol)
oddly convenient... I've been having serious issues with Windows 10 becoming completely unfunctional when network drives are not available to it... Somehow the entire OS becomes unstable as fuck. Copy paste is broken, search is broken, rendering of the explorer window is glitchy and corrupt.. more than 400 instances of services. it's insane.... When you reboot and the computer as access to those drives again, it's all fine and dandy again..
This absolutely needs a gui :)
CORRECTION: Sysmon isn't "From MS", and is a SysInternals tool, AND ISN'T OFFICIALLY supported by MS - If you have an issue on an enterprise server, and they find it's Sysmon related, they will close the support case as Sysmon isn't supported.
emphasis on "if you can reAD! and have a pulse!"
I have "lovely" mouse that when i plug it on it blue screen my system , i need to plug it on a first boot being in bios to make it safe , and work after a post xD
Event Viewer is a headache IMO
Theres so many of them that only use walls.. they think if they still
You wanna do sysmon64 -accepteula if doing this remote so the eula is accepted. Stupid lawyers.
I do sysmon64.exe -accepteula -i nameofconfig.xml
Wait, what? The EventViewer is *overwhelming* ? Did I switch dimensions or something?
The Tool (not the content) is massively *underwhelming* to me. Seriously, that thing was badly designed even for the 90ies. Also: How the hell can this thing still look like in Win95 *and* still take like 20 Seconds to show useful content after the first start on modern hardware that's literally *orders of magnitude* faster?
Edit: I have to agree with the description of Sysmon, though. I'm pretty sure "that should just be shipped with Windows" is basically the SysInternals tagline. Literally every one of Russinovich's tools is drastically better than the built-in alternatives.
The last bit about shipping with windows. Yes but if it was shipped with Windows it wouldn't be allowed to be updated as frequently as it is so its better that all the tools are never shipped with Windows.
sysinternals stuff was all borderline rootkit, horrible security risks in enterprise, procmon has some unique uses
Everything you run in windows as administrator is essentially a root kit, but who cares… Did you know someone who create users without admin rights and typing admin password every time, I don’t
@@alexbold4611 Now you do... 😋
Oh hai.
Wendell, let me help you with making videos. Please. I sometimes lose my patience a little bit. ;)
When you start talking about a thing ("Let me introduce you to Sysmon"), PLEASE let the very next sentence be a very concise one about what this thing is. Don't take 5-10 sentences of "suspension" where you let the viewer/listener figure this out on their own. You could even start the whole video with "This video is about Sysmon. Sysmon is a piece of software that lets you customize/filter the Windows event log. To understand this you need to know about the Windows event log. So let me introduce you to this first." Imagine that! Straight forward, simple, easy to understand. :)
Also please only show b-roll footage if it is illustrating what you are talking about right at that moment! Don't repeat footage while you are talking about something different, just to show something at all. Because then the viewer is busy trying to figure out in what relationship the footage is to what you are talking about, getting confused in the process. Let everything you show be in a clear and direct relationship to what you are talking about right in that moment.
And if you are talking about digging deeper when trying to figure out which drive is throwing errors, either show the process of figuring this out all the way or don't show it at all. Don't just show it half the way. You are leaving the user mentally busy while you return to the actual topic.
Event Viewer isn't USUALLY helpful in figuring out WHY specific games (or a specific game) are crashing if it is actually just their own issue, right?... Or something you probably can't solve.
Sysmon will help with that though and let you log more useful stuff.
Even viewer is almost useless (in its basic forms). Only filled nonsense and thousands of Distributed COM.
I had forgot i installed this config a couple of years ago. Boy have the xml changed :)
hence, watch the video, and make it less useless with sysmon?
@@Level1Techs Its still a lot to scroll Through, but at least it makes a bit more sense. Hope it catches hardware error better
first
Windows has a message center now. They should just dump every event there! Warnings and errors. Probably a simple 3rd party service could do it, too.
6:04 6:37 stupid Powershell :D
Thanks to all the complaining about $400 pans in the news I just got an ad for a $400 pan.
Ding 🛎 Ding 🛎 Windows will restart in 60 seconds (ignoring “pause updates”, unable to permanently full stop updates)