How to Enable Sysmon Tool on Windows 11

Sysmon (System Monitor) is a powerful system monitoring utility that records detailed system activity and stores it in the Windows Event Log. It helps administrators and security professionals track processes, network connections, file changes, and other events that may indicate suspicious activity. On Windows 11, Sysmon can now be enabled as a built-in optional feature, but it is disabled by default and must be manually activated. This guide explains how to enable Sysmon tool step by step.

Method 1: Enable Sysmon Using Settings

You can enable Sysmon as an optional Windows feature through the Settings app.

1. Open Settings by pressing Win + I on your keyboard.

2. Navigate to System > Optional features.

3. Under the Related settings section, click on More Windows features. This opens the classic Windows Features dialog.

4. In the list, scroll down and find Sysmon. Check the box next to it.

5. Click OK. Windows will search for the necessary files and apply the changes. Restart your computer.

6. After enabling the feature via Settings, you need to finish the installation. For this, open a terminal as administrator and run:

sysmon -i

Method 2: Enable Sysmon Using Command Prompt

This method uses the Deployment Image Servicing and Management (DISM) tool from an elevated Command Prompt.

1. Press the Windows Key, type cmd, right-click on Command Prompt, and select Run as administrator. Click Yes in the User Account Control prompt.

2. To enable the Sysmon optional feature, type the following command and press Enter:

Dism /Online /Enable-Feature /FeatureName:Sysmon

You should see a message indicating that the operation completed successfully.

3. Once the feature is enabled, you need install the Sysmon service. Run the following command:

sysmon -i

Method 3: Enable Sysmon Using PowerShell

PowerShell provides another quick way to enable Sysmon.

1. Press the Windows Key, type PowerShell, right-click on Windows PowerShell, and select Run as administrator. Click Yes.

2. Run the following command to enable the Sysmon feature:

Enable-WindowsOptionalFeature -Online -FeatureName Sysmon

3. After enabling the feature, install the service by running:

sysmon -i

How to Verify Sysmon Is Working

After enabling and configuring Sysmon, you can verify that it is working properly by following these steps.

1. Press Windows + R, type eventvwr.msc and press Enter to open Event viewer.

2. Navigate to:

Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

If events appear in this log, Sysmon is successfully enabled.

Conclusion

Enabling Sysmon on Windows 11 provides detailed visibility into system activities such as processes, network connections, and file operations. Once enabled, Sysmon logs can be viewed in Windows Event Viewer, making it a valuable tool for system monitoring, troubleshooting, and security analysis.