The big picture: Mark Russinovich developed Sysmon and other utilities in the Sysinternals suite to provide advanced monitoring and troubleshooting tools for system administrators. Russinovich now serves as CTO at Microsoft Azure, as Sysinternals is set to become an integral part of the Windows power-user experience.
Russinovich recently announced that Sysmon will be available as a native Windows feature starting next year. The tool is part of the renowned Sysinternals suite of troubleshooting and system utilities, and has long been a critical resource for security professionals and analysts seeking a deeper understanding of system activity on Windows.
System Monitor includes a system service and device driver that remain resident even during an OS reboot, Russinovich explains. Working in conjunction with the Windows Event Log component, the tool can monitor and log a wide range of system activity, including process creation, network connections, file changes, and more.
In simple terms, Sysmon provides detailed diagnostic data that can be leveraged to detect suspicious activity on a Windows system. However, the standalone utility currently must be manually downloaded and installed on each PC. Russinovich notes that this can create significant maintenance overhead for enterprise organizations managing thousands of computers, as Microsoft does not yet provide official support or automatic updates.
In 2026, the Sysinternals developers plan to finally resolve the management challenges caused by Sysmon's standalone nature. The utility will be integrated into both Windows 11 and Windows Server 2025, reducing operational risk associated with the lack of automatic updates. Sysmon will also become part of Microsoft's customer support ecosystem, similar to other tools built into Windows.
The native Sysmon functionality will operate much like the original tool: after installing the service and driver via the command prompt (sysmon -i), users can monitor a wide range of system events. Russinovich highlights some of the key "detection events" Sysmon can record in the Windows Event Log, including process creation (Event ID 1), network connections (ID 3), file creation (ID 11), WMI events (ID 20 and 21), and more.
Sysmon logs events according to a custom configuration file provided by the user. Microsoft has promised that comprehensive documentation will be available in 2026. In the meantime, the open-source community offers advanced Sysmon configuration examples that users can study and adapt.
The debut of Sysmon as a native Windows tool represents a major win for power users and system administrators. Russinovich, however, emphasized that this is only the beginning: Microsoft plans to continue investing in enhanced monitoring capabilities and AI-powered analysis for security tasks.