Defrag Tools #108 - Sysinternals SysMon - Mark Russinovich

Sign in to queue

Description

Mark Russinovich and Thomas Garnier join Andrew Richards in this episode of Defrag Tools. We talk about their new tool - Sysinternals System Monitor.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Resources:
Sysinternals System Monitor (SysMon)
Rogue Code - A Novel

Timeline:
[00:00] - Rogue Code - The new cybersecurity novel
[00:55] - Announcing: Sysinternals System Monitor (SysMon)
[04:17] - Released August 7th 2014
[04:42] - Command Line
[05:55] - Case of My Mom's Chronically Infected PC
[12:20]Sysinternals AutoRuns - Scheduled Tasks
[15:08] - 64Mb Event Log - weeks of activity
[16:59] - Email us your issues at defragtools@microsoft.com

Authors:
Mark Russinovich is the Chief Technology Officer for Azure and co-founder of Sysinternals.
Thomas Garnier is Senior Security Software Developer in Trustworthy Computing.

 

Embed

Download

The Discussion

  • User profile image
    androidi

    There's one (obvious) thing sorely missing from the tool but as you said, if it was implemented then it might become something the malware authors would anticipate. Now they might not bother.

    Stronger approach would be to have MS ship Windows with some sort of rootkit-detection dongle that had eg. USB port with debug ability and a network or wifi for getting updates externally to the rootkit detection algos without going through the compromised system.

  • User profile image
    Adelino​Araujo

    Great tool. Already been using it but always nice to see the developers giving some detail about it. And more features on the way... good stuff!

  • User profile image
    hillr

    Thanks for providing this tool outside of Microsoft!!

Add Your 2 Cents