sysmon64.exe

Sysmon (System Monitor) 64-bit

System Monitoring ToolTrustedSecurity/Forensics

CPU Usage

0-5%

Memory

1-15 MB

Location

C:\Sysmon

Publisher

Microsoft Corporation

Quick Answer

sysmon64.exe is safe. Sysmon is a Microsoft Sysinternals utility that runs as a Windows service to monitor and log detailed system activity for security and forensics.

Is it a Virus?

✔ NO - Safe

Must be in C:\Sysmon\Sysmon64.exe or a legitimate Sysmon installation

Warning

Event-driven monitoring

Sysmon logs events to the Windows Event Log; multiple event types are expected when configured

Can I Disable?

✔ YES

You can stop and uninstall Sysmon; use elevated commands to stop the service and remove it

What is sysmon64.exe?

sysmon64.exe is the 64‑bit Sysmon executable from Microsoft Sysinternals. When installed, it runs as a Windows service and collects detailed, tamper‑evident logs of system activity, including process creation, network connections, file creation, and driver loads, writing to the Windows Event Log for security monitoring and forensics.

Sysmon uses the ETW framework to capture events defined by its configuration and writes structured logs to the Windows Event Log for analysis. It runs in the background and does not present a UI by default, enabling detailed incident response.

Quick Fact: Sysmon provides deep, configurable visibility into system events and is commonly used in SOC and IR workflows.

Types of Sysmon Components

Sysmon Service: The main Windows service that coordinates event collection and configuration
Event Logging: Writes events to the Windows Event Log (Applications and Services Logs)
Kernel Driver: Optional kernel driver used to enhance ETW event capture
Configuration Module: Config-driven behavior defining which events are recorded
Data Output: Event data consumed by SIEMs, EDRs, and security tooling

Is sysmon64.exe Safe?

Yes, sysmon64.exe is safe when it is the legitimate Sysmon binary from Microsoft and installed from an official source.

Is sysmon64.exe a Virus or Malware?

The real sysmon64.exe is NOT a virus. Malware may disguise itself with similar names.

How to Tell if sysmon64.exe is Legitimate or Malware

File Location: Must be in C:\Sysmon\Sysmon64.exe or C:\Sysinternals\Sysmon64.exe. Any sysmon64.exe elsewhere is suspicious.
Digital Signature: Right-click the file in Explorer → Properties → Digital Signatures. Should show a valid signature from "Microsoft Corporation" or Sysinternals authorship.
Resource Usage: Normal operation uses minimal CPU and memory. Excessive resource use by sysmon64.exe is atypical unless logging an active incident.
Behavior: Sysmon writes to the Windows Event Log and does not spawn a prominent UI. Unusual UI or hidden behavior indicates potential tampering.

Red Flags: If sysmon64.exe is located in unusual folders (like Temp or AppData), runs without installation, lacks a valid signature, or logs to unexpected channels, run antivirus/EDR scans and verify installation from an official Sysinternals source.

Why Is sysmon64.exe Running on My PC?

Sysmon64.exe runs after you install Sysmon to monitor system activity and to log events to Windows Event Logs for security and forensic use. It may run as a service even when no user is logged in, depending on configuration.

Reasons it's running:

Active System Monitoring: Sysmon is configured to continuously monitor system events and log them for security analysis.
Background Event Logging: It records process creation, network connections, file creation, and other events in the Windows Event Log.
Startup Service: The Sysmon service is configured to start automatically on boot to ensure ongoing visibility.
Configuration Driven: A Sysmon configuration file defines which events are captured, affecting why and what runs in the background.
IR and Forensics: Organizations deploy Sysmon to support incident response, threat hunting, and post‑mortem investigations.

Can I Disable or Remove sysmon64.exe?

Yes, you can disable sysmon64.exe. Stopping and uninstalling Sysmon will remove its monitoring, but you should coordinate with security policies before disabling.

How to Stop sysmon64.exe

Stop the Sysmon service: Open an elevated Command Prompt and run: <code>sc stop sysmon</code> or use Services.msc to stop the Sysmon service
Disable startup: In Services.msc, set Sysmon to Disabled or run: <code>sc config sysmon start=disabled</code>
Uninstall Sysmon: Run from the Sysmon directory: <code>C:\Sysmon\Sysmon64.exe -u</code> to uninstall the service
Remove leftover files: Delete the Sysmon installation folder (e.g., <code>C:\Sysmon</code>) if no longer needed
Reboot: Restart the machine to ensure changes take effect

How to Uninstall Sysmon

✔ Open an elevated Command Prompt
✔ Navigate to the Sysmon folder (e.g., C:\Sysmon)
✔ Execute: sysmon64.exe -u to uninstall the Sysmon service
✔ If desired, delete the installation folder and config file
✔ Optionally restart the computer

Common Problems: Sysmon Not Producing Expected Logs

If sysmon64.exe is not logging as expected or the logs are missing, check installation, configuration, and service status.

Common Causes & Solutions

Sysmon not installed or service not running: Verify installation and service status; reinstall if necessary and start the service
Missing or invalid config file: Ensure a valid config.xml is present and referenced by the service; re-run installation with a proper config
Wrong event channel or filter: Open Event Viewer and ensure logs exist under Applications and Services Logs > Microsoft > Windows > Sysmon; adjust config to log desired events
Disk space or retention limits: Increase log retention or delete old logs; configure retention in Event Viewer
Permissions or UAC restrictions: Run as Administrator and verify service permissions; ensure user has rights to install and modify services
Driver/signature issues after OS updates: Update Sysmon to a compatible version and verify digital signature; reinstall if needed

Quick Fixes:
1. Confirm Sysmon service is running (sc query sysmon)
2. Check Event Viewer for Sysmon logs (Applications and Services Logs → Microsoft → Windows → Sysmon)
3. Verify config.xml path and contents
4. Restart Sysmon service after config changes
5. If issues persist, reinstall Sysmon with a fresh config

Frequently Asked Questions

Is sysmon64.exe a virus?

No, the legitimate sysmon64.exe from Microsoft Sysinternals is not a virus. Confirm the file is located at C:\Sysmon\Sysmon64.exe and signed by Microsoft to reduce risk.

Why is sysmon64.exe running on my PC?

Sysmon starts after installation to monitor and log system activity for security and forensics. It runs as a background service and writes to the Windows Event Log.

Can I delete or disable Sysmon?

Yes, you can stop and uninstall Sysmon, but this removes detailed system monitoring. Use elevated commands to stop the service and run the uninstall command.

Where are Sysmon logs stored?

Sysmon writes events to the Windows Event Log, typically under Applications and Services Logs → Microsoft → Windows → Sysmon. You can view them with Event Viewer.

How do I uninstall Sysmon?

Open an elevated prompt, navigate to the Sysmon folder, and run: <code>Sysmon64.exe -u</code>. Then remove the installation directory if desired.

Can I configure Sysmon to log fewer events?

Yes. Supply a custom config.xml to define which events to log and which to suppress. Reinstall or update the service to apply the new configuration.

Related Processes

procmon.exe

Sysinternals Process Monitor (PROCmon) for real-time file system, registry, and process monitoring

autoruns.exe

Sysinternals Autoruns - detailed startup program viewer

tcpview.exe

Sysinternals TCPView - real-time network connection viewer