Microsoft actually does something useful, adds Sysmon to Windows

After years of bolting AI onto everything, Redmond remembers admins exist

by · The Register

There is good news for administrators: Microsoft has delivered on its promise to build Sysmon functionality into Windows.

The functionality arrived in the Dev and Beta Windows Insider channels this week in builds 26300.7733 and 26220.7752, respectively. It allows administrators to capture system events via custom configuration files, filter for specific events, and write them to the standard Windows event log for pickup by third-party applications, including security tools.

Microsoft spends billions on AI, converts just 3.3% of Copilot Chat users: CEO talks momentum while paid uptake remains minimalCarly Page, 02 Feb 2026

Sysmon, part of the Sysinternals toolset, has long been useful for monitoring Windows' internals. Mark Russinovich, Microsoft technical fellow and co-founder of Winternals, from whence Sysinternals (and Sysmon) sprang, said: "It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations.

"Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks."

But deployment has been painful for administrators, managing potentially thousands of endpoints across an enterprise that need to be kept. Russinovich noted "a lack of official customer support for Sysmon in production environments."

Having it built in (though disabled by default) is therefore welcome, a respite from Microsoft's relentless AI integrations across its portfolio.

Enabling it requires some work with PowerShell, which shouldn't trouble Sysmon-savvy users. Microsoft notes that any existing Sysmon installation must be uninstalled first before the built-in version can be enabled.

After a month of patches that Microsoft would rather forget, Sysmon's arrival is a genuinely positive update.

Rather than adding font effects to Notepad and more AI, or turning Paint into a Photoshop knockoff, Microsoft is delivering a tool that actually makes administrators' lives easier - perhaps a sign it's taking user needs more seriously than shareholder demands.

Who are we kidding? ®

Old Windows quirks help punch through new admin defenses: Google researcher sits on UAC bypass for ages, only for it to become valid with new security featureConnor Jones, 28 Jan 2026Windows is testing a new, wider Run dialog box. Here’s how to try it: You’ll need to be using a Windows Insider build to see itAvram Piltch, 23 Dec 2025Microsoft euthanizes ancient deployment toolkit: Immediate retirement for freebie automation platformRichard Speed, 12 Jan 2026Microsoft Task Manager now tasking PCs with running multiple copies of itself: The once fearsome process killer is now a leaker of resourcesRichard Speed, 31 Oct 2025