Microsoft Adds Sysmon To Windows

Microsoft has finally delivered on its promise to integrate Sysmon -- the long-standing system monitoring tool from its Sysinternals suite -- directly into Windows, a move that should make life considerably easier for enterprise administrators who have struggled with deploying and managing the utility across thousands of endpoints.

The functionality landed this week in Windows Insider builds 26300.7733 (Dev channel) and 26220.7752 (Beta channel). Sysmon allows administrators to capture system events through custom configuration files, filter for specific activity, and pipe the data into standard Windows event logs for pickup by security tools and SIEM pipelines. Mark Russinovich, Microsoft technical fellow and Winternals co-founder, has previously noted the lack of official customer support for Sysmon in production environments -- a gap this integration addresses. The feature ships disabled by default and requires PowerShell to enable. Microsoft notes that any existing Sysmon installation must be uninstalled before activating the built-in version.

More Likely for MS to Take Control of Your Machine

[BrendaEM]

Let's face it: Microsoft can no longer be trusted with your data. On a fresh Windows installation, just how long does it take to attempt to de-clap it?

Re:

[geekmux]

Let's face it: Microsoft can no longer be trusted with your data. On a fresh Windows installation, just how long does it take to attempt to de-clap it?

Let's face it: Microsoft took twenty fucking years to integrate this tool.

They don't seem to be in a hurry to utilize the damn thing, regardless of how useful the rest of us find it.

Re:

[gweihir]

My take is they have a long list of minor and tiny changes they can push as great "innovations" to obscure the fact that they are pushing an ancient obsolete system design with a mediocre, unreliable and insecure implementation on their users.

Re:

[Targon]

You ignore that Apple is so locked into it's own designs that they are afraid to make any changes. User interface, software compatibility, and in general, users wanting to feel comfortable using a new device makes it where it will take over 20 years before it is safe to remove old and obsolete stuff.

Re:

[gweihir]

You do not what OS-X is based on, right? Well, you probably do not know.

Despite your inept attempt to deviate attention away from my statement, I am not ignoring anything. Windows is a crumbling mess and cannot be fixed anymore.

Re:

[AcidFnTonic]

Dude, OS X these days is the easy system compared to windows. One simple place to configure stuff, not the multitude of places these days in windows land.

And this is sad to say as I was not originally kind to Apple or anything they make but I can call a spade a spade. They leapfrogged windows.

Re:

[jbmartin6]

Why would they be, anyone who wants to use it just installs it.

Re:

[unixisc]

Will this be only there on Windows Pro, or will it be available in Windows Home editions as well?

Re:

[thegarbz]

just how long does it take to attempt to de-clap it?

0 hours, since it's not something that 99.99% of users do, especially not in corporations (which is what this story is about).

Re:

[Zero__Kelvin]

Show me where he said "typical user", then you would be attempting to make a point that was consistent with his post. Of course the fact that most non-corporate "admins" are also users who don't have a basic understanding of any of this, and are regularly lied to by Microsoft when they are told skill isn't required, while forcing an insecure by default OS onto systems via past anti-trust violations that led to user lock-in and rake in money from naive customers, doesn't make your ridiculous "point" any bet

Re:

[thegarbz]

My point is not consistent with his post. My point is consistent with the story and my point was that his post is an off topic anti MS rant. Hope you got my point now too.

Re:

[Zero__Kelvin]

I already made it clear that I understand that you didn't have a "point." Now you just need to figure that out.

Re:More Likely for MS to Take Control of Your Mach

[nightflameauto]

Let's face it: Microsoft can no longer be trusted with your data. On a fresh Windows installation, just how long does it take to attempt to de-clap it?

I'm far from Microsoft's biggest fan, but when they do one ever so slightly positive thing that people have actually wanted, we don't have to immediately assume the worst. Give it a week and we'll have a report about the worst, but the announcement gives us a brief respite from, "When are they going to do something we've actually asked for?" We can celebrate that vanishingly small victory for a few seconds before we find out the nefarious part.

Right?

Riiiiiiiight?

Re:

[Waccoon]

I remember using the old version of Process Explorer on Windows7. Then SysInternals was bought by Microsoft. When the new version of Process Explorer was released, it showed you a LOT less stuff that was going on in the background, showing an idle Win10 system with 0% CPU utilization. The old version of Process Explorer on an idle Win10 system lights up like a Christmas tree.

Yeah, I always assume the worst, because that's just reality.

PS - Yeah, I'm still stuck on Windows. Linux is a PITA.

Re:

[slaker]

I modify my installation ISO to remove the most egregious matters and use an autounattend.xml to make sure the installation is as I wish it to be. I have sysprep images that are appropriate for things I deal with professionally and my generic installation ISO works well enough to handle one-off installs that I can use the same single file for at least anything up to a Ryzen HX370/Zen5 or 15th-gen Intel.

Schneegan's AutoUnattend generator is extremely helpful in this regard. I've recently found Winhance, whi

What?

[RitchCraft]

They haven't renamed it CoPilot Sysmon yet?

Re:

[martin-boundary]

@: Looks like you want to rename Sysmon to CopilotSysmon! Would you like some help with that?

[OK] [Cancel]

Re:

[Deal In One]

Don't give them ideas.

Very soon we may end up with Windows CoPilot after Windows 11.

And since CoPilot is supposedly AI enabled, it will self improve over time, and be the last OS from MS. We promise this time!

Re:

[Tony Isaac]

They haven't figured out yet exactly what that Copilot button would do if you did click it, beyond a fancy interactive help system to tell you how to use it.

Re:

[theendlessnow]

Actually it's been renamed to m365 in order to avoid confusion.

Why was this a challenge to admins?

[gweihir]

Oh, right, WINDOWS. Yuck. No ssh-ing down the list with a nice small script and all done. No idea why this limited and defective toy is used in any professional context.

Re:

[Viol8]

"No ssh-ing down the list with a nice small script and all done"

Poettering and the distro sheep have done their best to make linux admin much harder than it was before or needs to be, so I'm not sure a small script would work now on a penguin box.

Re:

[bn-7bc]

Ok I must have missed that, can you give concrete examples (besiddes systemd hate, and the remaining phalanges of the x-11 to wauland transition) ?

Re:

[gweihir]

It still works quite well and it will continue to work because it is a major advantage. Also, there is no need to run Poetterix.

Too little to late

[njmarine2001]

Considering how they've been destroying customer trust in Windows. This small move doesnt bring a lot of love for MS.

I miss the old times

[djgl]

Will the executable now shrink back to its pre-EULA size?

Re:

[bn-7bc]

I don't think the EULA size is significant, it's just text after all. and I'm not even shoure the eula is stored in the executable (well it's obviously stored in the self extracting installer executable but that's another matter)

Re:

[djgl]

https://forum.exetools.com/sho... [exetools.com]