Microsoft为最终用户提供了大量有用的工具，可用于对Windows操作系统进行调整、播放、故障排除、诊断、保护或执行任何操作。Sysinternals System Monitor (Sysmon)就是这样一种新发布的工具，专为基于Windows的计算机设计，用于收集所有系统日志文件。这些日志文件对于了解与Windows相关的问题非常重要且至关重要。Sysmon安装后会一直在后台以休眠状态运行，并且可以在需要时恢复运行。

适用于 Windows 的 Sysmon 系统监视器

System Monitor背后的基本工作流程是它存储来自Windows 事件收集^{(Windows Event Collection)}（事件查看器^{(Event Viewer)}）和安全信息^{(Security Information)}和事件管理^{(Event Management)}( SIEM ) 代理的信息，如进程ID^(IDs)、GUID^(GUIDs)、SHA1、MD5 ( SHA256 ) 哈希日志。它将所有这些文件存储在Windows 10/8/7/VistaApplications and Services\logs\Microsoft\Windows\Sysmon\operational文件夹下，以及Windows XP等 旧Windows操作系统的系统事件日志下^{( System event log)}.

如何安装系统监视器
^{(How to install System Monitor)}

• 下载 Sysmon [^{(Download Sysmon [)}下方提供下载链接]
• 下载的文件将采用 zip 格式。使用 windows 默认文件提取器解压缩文件或尝试Winrar、 7zip 等。
• 文件解压缩后，运行“Sysmon”接受 EULA 并点击下一步。
• 等待^(Wait)System , Monitor完成安装，就这样！

如何使用 Sysmon^{(How to use Sysmon)}

sysmon 中的命令行可用于安装、卸载、检查和调整系统监视器的配置：

Install:    Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]

Configure:  Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]

Uninstall:  Sysmon.exe –u

用户需要了解的几个命令是：^{(Few commands that user need to understand are:)}

– i：安装服务和驱动程序

-n：存储网络连接日志

-u：卸载服务和驱动程序

-c：它更新计算机上安装的 sysmon 驱动程序或帮助转储当前可用的配置设置

-h : 它指定应用于程序的算法[默认情况下应用SHA1 ]

例子：^(Examples:)

• 使用默认设置安装应用程序：“ sysmon -i accepteula ”不带引号 [SHA1 默认]
• 使用 MD5 [SHA256] 设置安装应用程序：“ sysmon -i accepteula –h md5 -n ”  
• 卸载“ sysmon -u ”

系统监视器^{(System Monitor)}将事件 ID^{(Event IDs)}等事件存储为，

• 事件 ID 1^{(Event ID 1)}：用于进程创建，
• 事件 ID 2^{(Event ID 2)}：进程^(Process)更改了带有时间戳的文件创建时间，并且
• 事件 ID 3^{(Event ID 3)}：用于网络连接。

该工具将继续在后台运行，并将所有事件日志写入一个文件夹。安装或卸载后，并非全部都需要重新启动系统。

它是所有在Windows上运行的计算机的必备工具。从这里获取系统监视器^{(System Monitor)}工具here!

更新^(UPDATE)：Windows Sysinternals Sysmon 现在还将进程活动记录到Windows事件日志以供事件检测和取证分析使用，包括带有签名信息的驱动程序加载和图像加载事件、可配置的散列算法报告、用于包含和排除事件的灵活过滤器以及支持通过配置文件而不是命令行提供配置。它还获得恶意软件进程篡改检测。

Sysinternals Sysmon system monitor for Windows

Microsoft offers a plethora of useful tools for end-users that can be used to tweak, play, troubleshoot, diagnose, sеcure, or do anything with the Windows operating system. Sysinternals System Monitor (Sysmon), is one such newly released tool designed for Windows-based computer which collects all system log files. These log files are very important and crucial to understand issues pertaining to Windows. Sysmon once installed keeps running in the background as dormant and can be brought back to life when required.

Sysmon System Monitor for Windows

The basic workflow behind System Monitor is that it stores information from Windows Event Collection (Event Viewer) and Security Information and Event Management (SIEM) agents like process IDs, GUIDs, SHA1, MD5 (SHA256) hash logs. It stores all these files under Applications and Services\logs\Microsoft\Windows\Sysmon\operational folder in Windows 10/8/7/Vista, and under System event log in older Windows operating systems like Windows XP.

How to install System Monitor

• Download Sysmon [download link provided below]
• The downloaded file will be in zip format. Unzip the file using windows default file extractor or try Winrar, 7zip etc.
• Once the file is unzipped, run “Sysmon” accept the EULA and hit Next.
• Wait for System, Monitor to complete installation, that’s all!

How to use Sysmon

The command line in sysmon can be used to install, uninstall, check and to tweak System Monitor’s configuration:

Install:    Sysmon.exe -i [-h [sha1|md5|sha256]] [-n]

Configure:  Sysmon.exe -c [[-h [sha1|md5|sha256]] [-n]|--]

Uninstall:  Sysmon.exe –u

Few commands that user need to understand are:

–i: install service and driver programs

-n: stores network connection logs

-u: uninstall service and driver programs

-c: it updates the installed sysmon driver on the computer or helps to dump current configuration  settings available

-h: It specifies the algorithm applied to the program [by default SHA1 is applied]

Examples:

• To install the application with default settings: “sysmon -i accepteula” without quotes [SHA1 default]
• To install the application with MD5 [SHA256] settings: “sysmon -i accepteula –h md5 -n”  
• To uninstall “sysmon -u”

System Monitor stores events like Event IDs as,

• Event ID 1: Used for Process Creation,
• Event ID 2: A Process changed a file creation time with timestamp and
• Event ID 3: For Network Connection.

The tool will keep running in the background and will write all event logs into a folder. After install or uninstall a system reboot is not all required.

It is a must-have tool for all computers running on Windows. Go grab the System Monitor tool from here!

UPDATE: Windows Sysinternals Sysmon now also records process activity to the Windows event log for use by incident detection and forensic analysis, includes driver load and image load events with signature information, configurable hashing algorithm reporting, flexible filters for including and excluding events, and support for supplying configuration via a configuration file instead of the command line. It also gets malware process tampering detection.

Related posts

• 在Crash Dump文件Windows 10物理Memory Limits

• 如何使用Windows 10 SysInternals Process Explorer tool

• 流程Manager让你衡量computer reboot倍多

• RAMMap是来自Sysinternals的memory usage analysis utility

• 与Windows PC使用Send Anywhere的任何人共享文件

• Windows 10卡在Welcome screen上

• Fix Crypt32.dll未找到或缺少Windows 11/10错误

• Alt-Tab Terminator增强了默认Windows ALT-Tab functionality

• Watch数字电视，并在Windows 10上收听Radio，ProgDVB

• Windows 10上的Fix Windows Update error 0x8e5e03fa

• 如何在Windows 10启用或Disable Archive Apps feature

• Taskbar通知未显示在Windows 10中

• Best免费ISO Mounter software的Windows 10

• Picsart在Windows 10上提供Custom Stickers & Exclusive 3D Editing

• 视窗10同步设置不工作灰色

• 什么是PLS file？如何在Windows 11/10中创建PLS file？

• 5 Best免费Podcast Apps用于Windows 10

• 如何检查在Windows 10的Shutdown and Startup Log

• 如何测量Windows 11/10中的Reaction Time

• VirtualDJ是Windows 10 PC的免费虚拟DJ software