Microsoft has announced that System Monitor (Sysmon), a key tool for monitoring Windows systems, will become a native feature in Windows 11 and Windows Server 2025 starting next year.
This integration eliminates the need for manual downloads and updates, making it easier for IT admins and security teams to gain deep visibility into potential threats without extra hassle.
Sysmon has been a favorite among security professionals since its 2014 release as part of the Sysinternals suite.
It captures detailed logs on system activities, such as process creations and network connections, helping detect stealthy attacks, including credential theft and lateral movement.
Before this change, deploying Sysmon across large networks meant downloading binaries from Microsoft, manually configuring them, and handling updates yourself, which often led to delays and inconsistent coverage.
With the native version, Sysmon will be delivered via standard Windows updates, ensuring automatic compliance and reducing the risk of outdated installations.
This aligns with Microsoft’s Secure Future Initiative, focusing on secure-by-design operations and out-of-the-box security tools.
Native Sysmon Functionality Simplifies Security Operations
The new built-in Sysmon will retain all its core features, including support for custom configuration files that let users filter events to focus on relevant threats.
Once available, admins can enable it quickly via the “Turn Windows features on or off” option in settings, then run the simple command “sysmon -i” in Command Prompt.
This installs the driver and starts the service with a default setup, logging events directly to the Windows Event Log under Applications and Services Logs / Microsoft / Windows / Sysmon / Operational.
For advanced setups, users can apply XML configuration files to tailor monitoring, such as excluding noisy events or prioritizing suspicious ones, just like the standalone version.
This native approach solves key pain points for enterprises. No more separate deployments means faster rollout across thousands of endpoints, and official Microsoft support will cover production use, addressing previous gaps in assistance.
Updates will flow seamlessly through Windows Update, keeping the tool up to date with fixes and enhancements.
Security applications and SIEM systems can easily pull these logs, improving integration without custom scripting. Overall, it cuts operational overhead and boosts consistency in threat visibility.
Enhanced Threat Detection With Rich Event Signals
Sysmon’s strength lies in its granular event logging, which is now readily available without extra software. For instance, Event ID 1 tracks process creations, flagging odd command lines like “powershell nop -w hidden” used in fileless malware attacks.
Event ID 3 monitors network connections, spotting unusual outbound traffic to IP addresses that might signal command-and-control servers, such as connections to 185.199.x.x:443.
Event ID 8 reveals process access attempts, like when tools try to dump credentials from LSASS memory using comsvcs.dll, a common tactic in privilege escalation.
Other critical events include ID 11 for file creations in suspicious spots, such as temp directories holding scripts like C:\Users\Public\temp\update.ps1, often dropped by ransomware.
Event ID 25 detects process tampering techniques, including hollowing, where attackers replace legitimate code with malicious payloads, or herpaderping to evade detection.
Events 20 and 21 cover WMI activities, including persistence methods such as WmiEventConsumer setups that quietly run backdoors.
These signals feed into forensic tools and help map attacks to frameworks like MITRE ATT&CK.
Microsoft plans further innovations, such as enterprise-scale management and on-device AI-driven analysis to spot patterns, like lateral movement, faster.
Users can start preparing now using community configs from GitHub, such as SwiftOnSecurity’s templates for high-quality tracing.
This move makes advanced monitoring accessible, strengthening Windows defenses for everyone from small teams to large organizations.
, a key tool for monitoring Windows systems, will become a native feature in Windows){kind=link}