Defrag Tools #108 - Sysinternals SysMon - Mark Russinovich

Play Defrag Tools #108 - Sysinternals SysMon - Mark Russinovich
Sign in to queue


Mark Russinovich and Thomas Garnier join Andrew Richards in this episode of Defrag Tools. We talk about their new tool - Sysinternals System Monitor.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Sysinternals System Monitor (SysMon)
Rogue Code - A Novel

[00:00] - Rogue Code - The new cybersecurity novel
[00:55] - Announcing: Sysinternals System Monitor (SysMon)
[04:17] - Released August 7th 2014
[04:42] - Command Line
[05:55] - Case of My Mom's Chronically Infected PC
[12:20]Sysinternals AutoRuns - Scheduled Tasks
[15:08] - 64Mb Event Log - weeks of activity
[16:59] - Email us your issues at

Mark Russinovich is the Chief Technology Officer for Azure and co-founder of Sysinternals.
Thomas Garnier is Senior Security Software Developer in Trustworthy Computing.




The Discussion

  • User profile image

    There's one (obvious) thing sorely missing from the tool but as you said, if it was implemented then it might become something the malware authors would anticipate. Now they might not bother.

    Stronger approach would be to have MS ship Windows with some sort of rootkit-detection dongle that had eg. USB port with debug ability and a network or wifi for getting updates externally to the rootkit detection algos without going through the compromised system.

  • User profile image

    Great tool. Already been using it but always nice to see the developers giving some detail about it. And more features on the way... good stuff!

  • User profile image

    Thanks for providing this tool outside of Microsoft!!

Add Your 2 Cents