For the first time in almost two years, Microsoft's Mark Russinovich has added a new tool to the Sysinternals tool suite
. The new tool is Sysmon
which monitors for and logs certain specific events.
Sysinternals is a set of Windows utility programs first released in 1996, long before Russinovich joined Microsoft. Almost all were written by Russinovich and his then-partner Bruce Cogswell. Sysmon, written by Russinovich and Thomas Garnier, also of Microsoft, is the 73rd tool in the set, and has been used internally at Microsoft for some time.
The point of Sysmon is to monitor for three specific system events which are often used by malicious processes and which can be difficult to separate from the flood of events in a normal Windows system. Sysmon runs as a service using the Local System account and loads very early in the boot process in order to give the best chance of finding the origin of any problems.