Explore Sysmon and the Windows Event Viewer


One of the most powerful tools for troubleshooting a PC has been built into Windows since the early days, but is still widely misunderstood.  It's known as the Event Viewer.  The tool itself is merely a window into a particularly useful feature of the operating system, namely that it keeps a log of just about everything it does.  Every time a process starts, or you log into your PC, or just about anything else happens, a log entry is created.  It's not uncommon for tens of thousands of entries to be created every week.  Event Viewer lets you view and search these event logs to help track down the cause of a problem.

Key to the event logging system is the event ID.  Every event that Windows logs has its own ID code, to make searching easier.  For example, in recent versions of Windows, if you try to log into a user account that's been locked out or disabled an error 4625 will be generated.  Scan your logs for this number, and it'll help you track down whether someone's been trying to brute-force their way into your PC or server.
There are, though, some specific things that Windows doesn't log.  And to remedy this, a number of companies produce specific add-on products which will monitor your system for those things and, if it notices them happening, it'll write an entry to the event log.  You can then use the standard Event Viewer to search for them.
One such program, from the highly respected team at Microsoft behind the "sysinternals" tools, is called sysmon, which has recently been updated to version 2.  Sysmon checks for a range of events which are known to be caused by hackers, viruses and malware, which can help you investigate security-related issues on your computer.
You'll find Sysmon at https://technet.microsoft.com/en-us/sysinternals/dn798348 along with details of how to install it.  Essentially you unzip the file and type sysmon -i from a command prompt.  The file is a download of around 0.6 MB and is portable.  The program is malware-free according to VirusTotal and Web of Trust.
To access the event viewer on your PC, just search for Event Viewer using the start menu in Windows 7 or the charms in Windows 8.

Please rate this article: 

Your rating: None
Average: 4 (12 votes)