Microsoft to make Sysmon a native Windows 11 tool
Windows 11 power users will be pleased to learn that Microsoft is planning to bring the Sysmon (System Monitor) tool to Windows as a native utility. Usually part of the Sysinternals suite of utilities, Sysmon will be integrated into not only Windows 11, but also Windows Server 2025 starting next year.
The announcement was made not by Microsoft, but by Sysinternals creator Mark Russinovich. He says that by integrating the Sysmon utility into Windows, administrators will simplify deployment and bring additional functionality.
While Russinovich points to various benefits of going native with Sysmon, there is one that stands out for the way the tool operates as a standalone utility at the moment: “a lack of official customer support for Sysmon in production environments poses added risk and additional maintenance overhead for your organization”.
This is now changing – or at least it will be very soon – for the security tool.
In a blog post announcing the news, Russinovich says:
Next year, you will be able to gain instant threat visibility and streamline security operations with System Monitor (Sysmon) functionality natively available in Windows!
Part of Sysinternals, Sysmon has long been the go-to tool for IT admins, security professionals, and threat hunters seeking deep visibility into Windows systems. It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations. Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks.
He goes onto talk about why integrating the tool – which so many administrators have come to rely on – matters so much:
Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows. Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log, enabling a wide range of use cases including by security applications.
What operational pain points does it solve for you?
- Instant threat visibility
- Same rich functionality, including support for custom configuration files
- No separate download or manual deployment
- Automated compliance as updates flow through Windows Update
- Reduced operational risk
- Customer service support
Here’s how Sysmon functionality available in Windows aligns with Microsoft Secure Future Initiative (SFI) pillars:
- Helps reduce complexity and eliminate gaps caused by manual deployments (Secure by design).
- Helps make advanced security diagnostic data available out-of-the-box (Secure operations).
The precise timing of the nativization of Sysmon has not yet been revealed, but steps will still need to be taken in order to activate it when the time comes.
The following instructions have been provided in advance:
Next year, you can enable the Sysmon functionality in Windows by using the Turn Windows feature on/off capability.
Then install it with a single command via the Command Prompt or cmd.exe:
sysmon -iThis command installs the driver and starts the Sysmon service immediately with the default configuration. Comprehensive documentation will be available at general availability.
This is not the end of the story, however. Russinovich says that “bringing Sysmon functionality in Windows is just the beginning”. What does this mean exactly? He continues:
We plan to continue investing in additional capabilities such as enterprise-scale management and AI-powered inferencing. Imagine detecting credential theft attempts or lateral movement patterns so quickly, powered by granular diagnostic data and AI inference running locally on the device. This is a game-changer for enterprise security — combining rich OS-level signals with edge AI to help reduce dwell time and improve resilience.
More information about the integration is available here. Russinovich also suggests check out GitHub community configuration templates: Sysmon configuration file template with default high-quality event tracing and Sysmon configuration repository.
Image credit: vadimrysev / depositphotos