This tutorial will show you how to install or uninstall the built-in Sysmon for all users in Windows 11.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. The service runs as a protected process, thus disallowing a wide range of user mode interactions.
Starting with Windows 11 build 26100.7922 (24H2) and 26200.9822 (25H2), and build 2800.1764 (26H1), previously announced here, Windows now brings Sysmon functionality natively to Windows. Sysmon functionality allows you to capture system events that can help with threat detection, and you can use custom configuration files to filter the events you want to monitor. The captured events are written on the Windows event log, enabling them to be used with security applications and a wide range of use cases.
Built‑in Sysmon is off by default. You must enable it before you can use it.
You must be signed in as an administrator to install or uninstall the built-in Sysmon.
If you have already installed Sysmon from the website, it must be uninstalled before enabling the built-in Sysmon.
Contents
- Option One: Install or Uninstall Built-in Sysmon using Optional Features
- Option Two: Install Built-in Sysmon using Command Line
- Option Three: Uninstall Built-in Sysmon using Command Line
1 Open Settings (Win+I).
2 Click/tap on System on the left side, and click/tap on Optional features on the right side. (see screenshot below)
3 Click/tap on More Windows Features. (see screenshot below)
4 In Windows Features (OptionalFeatures.exe), check (install) or uncheck (uninstall - default) Sysmon for what you want, and click/tap on OK. (see screenshot below)
5 When finished, perform the appropriate step below: (see screenshots below)
- If installing Sysmon, click/tap on Close, and go to step 6.
- If uninstalling Sysmon, click/tap on Restart now to apply, and go to step 9.
6 Open Windows Terminal (Admin), and select Windows PowerShell or Command Prompt.
7 Copy and paste the command below into Terminal (Admin), and press Enter to complete the installation. (see screenshot below)
Sysmon -i8 You can now close Terminal (Admin) and Settings.
9 You are finished.
1 Open Windows Terminal (Admin), and select Windows PowerShell or Command Prompt.
2 Copy and paste the appropriate command below into Terminal (Admin), and press Enter. (see screenshots below)
Windows PowerShell
Enable-WindowsOptionalFeature -Online -FeatureName SysmonOR
Command Prompt
DISM /Online /Enable-Feature /FeatureName:"Sysmon"3 Copy and paste the command below into the elevated PowerShell or Command Prompt terminal, and press Enter to complete the installation. (see screenshot below)
Sysmon -i4 When finished, you can now close Terminal (Admin) if you like.
1 Open Windows Terminal (Admin), and select Windows PowerShell or Command Prompt.
2 Copy and paste the appropriate command below into Terminal (Admin), and press Enter. (see screenshots below)
Windows PowerShell
Disable-WindowsOptionalFeature -Online -FeatureName SysmonOR
Command Prompt
DISM /Online /Disable-Feature /FeatureName:"Sysmon"3 When prompted, perform the appropriate step below:
- In Windows PowerShell, type Y, and press Enter to restart the computer to apply.
- In Command Prompt, type Y to restart the computer to apply.
That's it,
Shawn Brink
Last edited:
