Sysmon is an advanced background monitor that records process-related activity to the event log.
This application is available through the WindowsSpyBlocker executable. To install Sysmon, execute
WindowsSpyBlocker.exe and choose the
Install option in
Dev > Sysmon.
This installs Sysmon as a service that will survive reboots, collect network connection information, record MD5 hashes for all created processes, and record loading of modules.
Everything will be recorded in the Windows event log in
You can see every events in the Event Viewer window through
Start > Run > eventvwr:
WindowsSpyBlocker can be used to parse events and generate CSV files.
Do not forget to edit the
app.conf file before continuing
- evtxPath: Path to the event log.
- ips: exclude IPs addresses from parsing. Ranges are allowed and in most cases you have to exclude your local network.
- hosts: exclude domains from parsing. Wildcard are allowed and in most cases you have to exclude your local network.
- orgs: exclude by whois organization from parsing. Wildcard are allowed and in most cases you have to exclude your ISP.
WindowsSpyBlocker.exe and select
Dev > Sysmon > Extract log:
CSV files will be generated in
Created: 2020-08-14 00:18:56