Sysmon Shell – Release 1.1

I have just uploaded a new version of Sysmon Shell (v1.1)


Here is the list of updates

  • I added new configuration options to include or exclude an entire event log, for example (Surprisingly missing in version 1.0):
    <PipeEvent onmatch=”include”/> or <PipeEvent onmatch=”exclude”/>
  • If you are using Sysmon for malware analysis, you might find the last tap marked “Logs Export” useful, as it allows exporting Sysmon logs to XML file, for example, I use the exported XML log files by loading them in Sysmon View for later analysis, the export feature has 3 options:
    • Export only
    • Export and clear Sysmon event log (to mark new analysis starting point)
    • Export, backup evtx file and clear the event log


  • In case you are applying Sysmon configuration using Sysmon Shell and not through the command line using Sysmon, you must be aware that I am no longer validating the image of Sysmon against it’s hash as I used to do in version 1.0, however, I am reporting the hash of Sysmon image being used to run the configuration command in the preview pane


The new version can be found on my Github

Please contact me to report any bugs or suggestions