How to Enable Built-in Sysmon in Windows 11

System monitoring is essential for detecting suspicious activity, tracking system changes, and strengthening security visibility in Windows environments. Many advanced users and administrators rely on Sysmon (System Monitor) to log detailed system events such as process creation, network connections, file changes, and registry modifications.

While Windows 11 does not include Sysmon as an enabled-by-default feature, it is officially provided by Microsoft as part of the Sysinternals Suite. Once installed and configured properly, Sysmon integrates with Windows Event Viewer and provides powerful monitoring capabilities.

In this guide, you’ll learn how to install and enable Sysmon in Windows 11 step-by-step.

How to Enable Built-in Sysmon in Windows 11

Follow the steps carefully. Administrative privileges are required.

1. Download Sysmon from Microsoft

Sysmon is distributed as part of Microsoft Sysinternals.

1. Open your web browser.
2. Visit the official Microsoft Sysinternals Sysmon page.
3. Download the Sysmon ZIP file.
4. Extract the ZIP file to a folder (for example: C:\Sysmon).

The extracted folder will contain Sysmon.exe (64-bit) and Sysmon64.exe.

2. Open Command Prompt as Administrator

1. Press Windows + S.
2. Type Command Prompt.
3. Right-click it and select Run as administrator.
4. Navigate to the folder where Sysmon was extracted:cd C:\Sysmon

3. Install Sysmon with Default Configuration

To quickly enable Sysmon using default settings:

Sysmon64.exe -i

Press Enter.

When prompted to accept the license agreement, type Y and press Enter.

This installs Sysmon as a Windows service and begins logging system activity.

4. Install Sysmon with a Custom Configuration (Recommended)

For better monitoring, use a configuration file instead of default settings.

1. Download a recommended Sysmon configuration file (such as community security templates).
2. Save it in the Sysmon folder.
3. Run:Sysmon64.exe -i config.xml

Replace config.xml with your configuration filename.

Using a configuration file allows you to filter specific events and reduce unnecessary logs.

5. Verify Sysmon Is Running

To confirm installation:

1. Press Windows + R.
2. Type:services.msc
3. Press Enter.
4. Locate Sysmon in the list.
5. Ensure its status is Running and Startup Type is Automatic.

You can also verify using Command Prompt:

sc query sysmon64

6. View Sysmon Logs in Event Viewer

Sysmon logs appear inside Event Viewer.

1. Press Windows + X.
2. Select Event Viewer.
3. Navigate to:Applications and Services Logs > Microsoft > Windows > Sysmon > Operational

Here you will see detailed logs such as:

• Process creation events
• Network connection logs
• File creation timestamps
• Registry changes

7. Update Sysmon Configuration (If Needed)

If you want to update the configuration later:

Sysmon64.exe -c config.xml

This applies the new configuration without reinstalling the service.

8. Uninstall Sysmon (If Required)

If you need to remove Sysmon:

Sysmon64.exe -u

This uninstalls the Sysmon service from Windows.

Important Notes

• Sysmon does not include a graphical interface.
• It runs silently in the background as a service.
• Proper configuration is important to avoid excessive logging.
• Sysmon is widely used in cybersecurity monitoring and threat detection environments.

Conclusion

Sysmon is a powerful system monitoring tool provided by Microsoft through the Sysinternals Suite. While it is not enabled by default in Windows 11, it can be installed quickly using administrative commands. Once activated, Sysmon provides detailed event logs that significantly enhance visibility into system activity.

By following the steps above, you can successfully enable Sysmon in Windows 11 and begin monitoring advanced system events. For best results, always use a well-optimized configuration file to balance performance and logging efficiency.